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Upping  the  Ante  for  Business  Value 


As  we  have  chronicled  for  the  past  decade  and  more  in  CSO, 
security  has  gone  from  an  afterthought  to  a  requirement  to  a  pri¬ 
ority  to  a  major  player  in  businesses  around  the  world. 


And  for  the  past  few  years,  we’ve  also  seen 
a  shift  from  security  being  seen  as  a  necessary 
but  business-inhibiting  function  to  where  it 
stands  now:  in  many  places,  a  business  enabler. 

This  year,  as  we  selected  our  second  annual 
CS040  award  winners,  I  was  struck  by  the  inno¬ 
vative  and  thoughtful  ways  security  leaders  are 
now  delivering  indisputable  ROI  with  projects 
designed  to  secure  the  organization.  Many  ef¬ 
forts  to  enhance  security  are  no  longer  simply 
cost  centers,  but  unquestionably  value-added 
features. 

Take,  for  example,  our  featured  winner,  Cum¬ 
mins.  In  2013,  the  company  aimed  to  establish 
a  IT  Operational  Resilience  risk  management 
practice  based  on  the  business  criticality  of  key 
applications  and  infrastructure,  with  the  goal 
of  having  the  ability  to  more  easily  enable  di¬ 
saster  recovery  planning  on  critical  systems.  In 
designing  the  project,  the  company  developed 
an  asset-classification  system,  allowing  it  to 
have  an  objective  frame  of  reference  during 
strategic  decision-making  process  and  to  keep 
bad  investments  of  time  and  money  at  the  low¬ 
est  level. 

Another  winner,  Comcast,  has  taken  the 
complicated  and  time-consuming  task  of 


compliance  and  automated  much  of  it.  Its  new 
PCI/SOX  compliance  program  reduces  costs 
by  automating  controls  that  were  previously 
manual,  and  it’s  estimated  that  the  program 
will  save  the  company  thousands  of  man-hours 
each  year. 

We  congratulate  this  year’s  outstanding  win¬ 
ners  and  look  forward  to  hearing  more  from 
them  in  the  future  as  security  continues  to  inno¬ 
vate  in  an  effort  to  secure,  strategize  and  save. 

-Joan  Goodchild, 
Editor,  jgoodchild@cxo.com 
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Cockroaches  in  the  Supply  Chain 

Businesses  have  always  had  concerns  about  supply 
chain  risks,  but  for  most  businesses,  those  risks  involve  shipping 
delays,  parts  shortages  and  labor  issues. 

But  that’s  starting  to  change,  as  evidenced 
by  CSOonline’s  recent  coverage  of  the  discovery  «s^w»si«aa 
of  malicious  apps  on  new  Android  devices. 

In  case  you  missed  it,  the  story  in  question 
examined  how  a  malicious  app,  disguised  to 

look  like  the  Netflix  app,  was  found  preinstalled  }  y,  mR 

on  Android-based  devices  from  four  differ-  fe.  V; 

ent  manufacturers.  Somehow,  somewhere 
along  the  supply  chain,  the  malicious  app  was 

installed  in  those  devices.  The  immediate  ques-  ® 

tions  for  manufacturers  are  “When?”  “Where?” 
and  “How?”  I  think  you  can  guess  at  the  why. 

Despite  Android  manufacturers’  silence  on  the 
issue,  I  know  they  are  taking  it  very  seriously.  „ 

They  see  the  risk  this  poses  to  their  market.  For 
the  owner  of  the  real  app,  in  this  case  Netflix, 
it  can  pose  a  serious  public  relations  challenge 
(let’s  not  forget  they’re  one  of  the  victims  here).  also  prove  to  be  a  game-changer.  We’ve  always 
But  what  about  the  buyers?  worried  about  what  gets  added  after  a  device 

I’d  wager  a  guess  that  the  vast  majority  of  is  purchased,  making  that  the  primary  focus  of 
people  buying  mobile  devices  have  no  clue  how  our  defense.  But  what  happens  when  we  can’t 
to  examine  their  preinstalled  apps  to  see  if  they  trust  that  we’re  acquiring  pristine  devices  from 
are  the  real  deal  or  malicious  knockoffs.  How  our  suppliers  in  the  first  place? 
would  you  even  begin  to  address  this,  outside  Yes,  I  hear  the  chatter  already,  “What  about 

of  using  the  tools  and  expertise  that  some-not  operating  systems?  Those  have  always  been 
all-enterprises  possess?  Frankly,  this  is  the  rife  with  vulnerabilities.”  But  we’ve  grown  to  ex¬ 
least  of  my  concerns.  pect  those  flaws  and  to  mitigate  them  through 

If  the  supply  chain  has  been  compromised,  patch  management  and  perimeter  control  solu- 
can  buyers  be  sure  that  the  shiny  new  device  tions.  Your  business  should  be  looking  at  tools 

they  just  pulled  out  of  the  box  doesn't  have  a  you  can  use  to  address  this  new  risk  and  should 

compromised  operating  system  or,  even  more  examine  where  else,  in  your  own  supply  chain, 
troubling,  compromised  embedded  software?  I  you  might  be  vulnerable  to  product  tampering, 
see  the  trust  model  beginning  to  erode.  Please  tell  us  your  ideas  for  protecting  your 

Is  this  issue  just  one  more  thing  to  worry  suply  chain,  and  look  out  for  those  cockroaches, 

about?  Sure,  we  can  add  it  to  the  long  list  of  -Bob  Bragdon,  publisher 

risks  that  need  to  be  considered,  but  it  may  bbragdon@cxo.com 
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Box,  Dropbox,  or  Drop  Both? 

The  two  biggest  cloud  file-sharing  services  are  extremely  popular,  but  do  they  meet 
enterprise  security  standards?  by  david  geer 


“THERE  ARE  FOUR  CRITICAL  QUES- 
tions  every  enterprise  and  IT  administrator 
should  ask  when  considering  file-sharing 
services,”  says  Adam  Gordon,  author  of  the  Of¬ 
ficial  (ISC)2  Guide  to  the  CiSSP  CBK.  These  are: 
Where  will  the  service  store  and  share  files? 
Who  will  view  the  files?  How  will  the  service 
protect  the  files?  And  what  types  of  files  will 
the  service  permit  in  the  storage  system?  If  a 
service  provider  doesn’t  respond  satisfactorily, 
CISOs  should  consider  other  options. 

CSO  decided  to  evaluate  the  security  of 


Box  and  Dropbox  using  these  questions.  Does 
either  meet  enterprise  security  standards  for 
cloud-based  file  sharing? 

Where  Is  It  Stored? 

File-sharing  services  store  data  outside  corpo¬ 
rate  IT,  where  enterprises  can  lose  control  of 
it.  Enterprises  cannot  ensure  service  uptime, 
file  availability,  or  even  that  the  service  will 
not  shut  down  altogether. 

“This  exact  circumstance  left  customers  of 
the  Megaupload  file-sharing  service  virtually 


stranded,  without  access  to  files  in  the  ser¬ 
vice’s  cloud  environment,"  says  Gordon. 

Box  reassures  enterprise  customers  with  a 
service-level  agreement  (SLA)  guarantee  of 
99.9  percent  uptime,  maintaining  that  uptime 
in  several  ways  and  offering  customer  account 
credits  when  it  fails.  “First,  we  have  a  single 
infrastructure  serving  all  our  customers  at  all 
paid  levels.  We  deploy  the  highest  quality  net¬ 
working  and  services  at  a  much  bigger  scale, 
which  allows  us  to  offer  enterprise  protection 
more  efficiently,”  says  Grant  Shirk,  enterprise 


Ian  Lamont/Flickr 


group  product  marketing  manager  for  Box. 

That  infrastructure  spans  four  geographi¬ 
cally  dispersed  locations,  including  three 
primary  data  centers.  “We  select  colocation 
facilities  with  the  highest  levels  of  service 
bandwidth  and  disaster  avoidance  for  these 
data  centers,"  says  Shirk.  A  fourth  facil¬ 
ity  offers  emergency  backup  storage  for 
encrypted  binaries  so  Box  can  restore  from 
that  location. 

Dropbox  offers  uptime  guarantees,  but 
doesn't  share  them  publicly.  “We  provide 
uptime  or  SLA  guarantees  in  specific  com¬ 
mercial  contracts,"  says  Cory  Louie,  head  of 
trust,  safety  and  security  for  Dropbox.  Drop- 
box  stores  customer  data  on  Amazon  S3  and 
mirrors  encrypted  file  data  in  colocated  data 
centers.  Dropbox  currently  stores  all  customer 
data  inside  the  U.S. 

Who  Can  See  It? 

Cloud  file-sharing  services  must  protect  the 
access  rights  of  individual  accounts.  But  Box 
enables  account  managers  to  roll  employee’s 
free  accounts  into  the  enterprise’s  business 
accounts.  Sometimes  these  free  users  that 
get  rolled  up  include  external  collaborators 
who  are  not  employees,  which  leads  to  a  vari¬ 
ety  of  complications. 

Collaborators  can  end  up  having  their 
accounts  managed  by  the  enterprise  without 
their  knowledge  or  consent.  Unauthorized 
people  may  end  up  sharing  corporate  data, 
and  they  may  expose  that  data  in  any  number 
of  ways,  or  even  delete  it. 

Though  such  an  incident  has  occurred,  Box 
has  taken  steps  to  prevent  it  being  repeated. 
“We  added  controls  to  make  sure  that  no  one 
rolls  in  accounts  without  the  understanding 
and  knowledge  of  both  parties-the  account 
holder  and  the  organization,”  Shirk  says. 

Cloud  data  services  such  as  Dropbox 
offer  an  easy  portal  for  data  theft,  accord¬ 
ing  to  Gordon.  “Companies  may  want  to  keep 
an  especially  tight  leash  on  contractors  in 
restricting  their  access  to  future  Dropbox  busi¬ 
ness  accounts,"  says  Gordon. 

But  Dropbox  guards  against  inappropri¬ 
ate  access  using  two-factor  authentication 
and  identity-  and  access-management  tools, 


which  Dropbox  integrates  into  its  application. 
“We  have  built  integrations  into  the  leading 
identity  providers  or  federated  identity  pro¬ 
viders  like  Okta,  Ping  Identity,  OneLogin,  and 
Centrify.  It's  all  standards-based,  so  we  can 
work  with  any  kind  of  [identity-  and  access- 
management]  tool  that  an  enterprise  uses,” 
says  Ross  Piper,  vice  president  of  enterprise 
strategy  at  Dropbox. 

How  Will  They  Protect  It? 

Box  transmits  files  using  SSL  encrypted  ses¬ 
sions  and  encrypts  files  at  rest  using  256-bit 
AES  encryption,  according  to  Shirk.  Box  is 
ISO  27001  certified  and  offers  its  SSAE 16 
SOC  2,  Type  2  report,  which  replaces  SAS  70 
as  evidence  of  meeting  enterprise  security 
and  compliance  standards.  Box  is  working  on 
industry-specific  frameworks  such  as  compli¬ 
ance  with  PCI  and  HIPAA.  Box  can  help  com¬ 
panies  achieve  compliance  with  HIPAA  while 
using  its  service,  according  to  Shirk. 

Dropbox  supports  TLS  1.0  through  1.2  and 
SSL  v3  for  data  in  transit.  “This  creates  a 
secure  tunnel  that  up  to  256-bit  encryption 
protects,”  says  Louie.  The  encryption  level 
depends  on  the  level  what  the  client  negoti¬ 
ates.  Dropbox  also  uses  a  256-bit  AES  cypher 


for  data  at  rest.  In  addition,  Dropbox  splits  the 
files.  “We  anonymize  each  of  those  file  pieces 
or  b-file  blocks  with  a  hash  value.  We  then 
encrypt  those  hashed  file  blocks  separately 
and  store  the  encryption  keys  separate  from 
the  encrypted  file  blocks,”  says  Louie. 

“We  have  a  current  SOC  2/type  2  report 
available  to  our  customers  by  request,”  says 
Louie.  “We’re  going  to  maintain  that  and  be 
subject  to  audit  at  least  on  an  annual  basis.” 

If  an  enterprise  customer  wants  to  use 
Dropbox  in  compliance  with  regulations  such 
as  HIPAA  and  FERPA,  third-party  developers 


offer  applications  that  work  with  Dropbox, 
and  some  of  those  applications  help  organi¬ 
zations  meet  those  regulatory  requirements, 
says  Piper. 

What  Kind  of  Data  Is  Allowed? 

Hackers  could  create  "floating”  attack-staging 
platforms  inside  these  file-sharing  services. 
Due  to  the  nature  of  these  services,  says  Gor¬ 
don,  they  heavily  defend  customer  files  from 
the  outside  in,  but  don’t  examine  them  as 
carefully  from  the  inside  out. 

“Specifically,  due  to  a  desire  to  be  all  things 
to  all  customers,  many  of  these  vendors  fol¬ 
low  a  guiding  business  principle  to  acquire 
ever-larger  shares  of  the  customer  segments 
that  they  target  by  allowing  almost  totally 
unrestricted  content  storage  within  their 
systems.  Some  of  that  content  can  be  highly 
toxic  and  lethal,"  explains  Gordon. 

But  according  to  Box,  its  controls  make 
floating  attack  platforms  inside  the  service 
highly  unlikely.  “While  Box  does  not  restrict 
the  kinds  of  files  customers  can  upload,  Box 
is  not  a  live,  runtime  environment.  Scripts  and 
executables  cannot  run  within  the  platform,” 
says  Shirk.  Further,  Box  enables  customers  to 
run  antivirus  scans  on  content  to  mitigate  any 


potential  for  infection.  “And  we  restrict  file 
conversion  and  interpretation  only  to  known 
file  types  (.doc,  .txt,  .xls,  etc.),”  says  Shirk. 

Dropbox  doesn’t  take  as  many  precautions. 
Though  Dropbox  accepts  files  of  any  type  for 
storage,  users  agree  to  not  misuse  the  service, 
according  to  Louie. 

“We  review  reports  of  abuse  and  violations 
of  acceptable-use  policies  and  take  appropri¬ 
ate  action  when  necessary,”  Louie  says. 


■  David  Geer  is  freelance  writer  and  regular 
contributor  to  CSO. 


“Companies  may  want  to  keep  an  especially 
tight  leash  on  contractors  in  restricting  their 
access  to  future  Dropbox  business  accounts.” 

-ADAM  GORDON,  AUTHOR, 

OFFICIAL  (I SC) 2  GUIDE  TO  THE  CISSP  CBK 
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Researchers  Exploit  HTTPS  to  Mine  Personal  Data 


UNIVERSITY  RESEARCHERS  HAVE 
developed  a  technique  that  governments 
and  Internet  service  providers  could  use  to 
bypass  secured  Internet  connections  and 
gather  valuable  personal  information  on 
unsuspecting  users. 

The  “analysis  attack"  on  HTTPS  traffic 
had  an  89  percent  accuracy  rate  in  deter¬ 
mining  which  Web  pages  a  person  visited, 
according  to  University  of  California, 
Berkeley  researchers.  Such  tracking  made 
it  possible  for  the  researchers  to  gather 
information  on  medical  conditions,  sexual 
orientation,  financial  status  and  whether  a 
person  is  involved  in  a  divorce  or  bankrupt¬ 
cy  proceeding. 

The  study  looked  at  more  than  463,000 
page  loads  on  10  widely  used,  industry¬ 
leading  websites.  The  healthcare  sites 
examined  belonged  to  the  Mayo  Clinic, 
Planned  Parenthood  and  Kaiser  Perma- 
nente;  financial  sites  belonged  to  Wells 
Fargo,  Bank  of  America  and  Vanguard;  legal 
services  sites  belonged  to  the  American 
Civil  Liberties  Union  and  Legal  Zoom;  and 


video-streaming  sites  belonged  to  Netflix 
and  YouTube. 

For  the  attack  to  work,  snoops  would 
have  to  be  able  to  visit  the  same  Web  pages 
as  the  victim,  which  would  enable  the  at¬ 
tackers  to  identify  packet  patterns  in  en¬ 
crypted  traffic  that  would  be  indicative  of 
different  Web  pages. 

“It  would  be  like  if  somebody  gave  you 
a  bicycle  but  took  it  apart  and  wrapped 
each  piece  individually,”  says  Brad  Miller, 
co-author  of  the  study.  “You  would  quickly 
notice  that  there  were  two  big  packages 
which  look  like  wheels,  a  frame,  a  squiggly 
one  that  corresponds  to  a  chain,  etc. 

“It’s  the  same  way  with  a  Web  page. 
Because  we  watch  each  of  the  parts  be  de¬ 
livered  individually,  there  ends  up  being  so 
much  information  which  you  can  observe 
without  decrypting  the  packets  that  you  can 
quite  likely  figure  out  the  exact  Web  page.” 

The  attackers  must  also  be  able  to  ob¬ 
serve  victim  traffic,  which  would  allow 
them  to  match  those  packet  patterns  with 
the  ones  going  to  particular  Web  pages. 


The  researchers  also  developed  a  de¬ 
fense  that  involved  reducing  the  amount 
of  packet  information  an  attacker  could 
gather.  The  technique  lowered  the  accuracy 
of  identifying  Web  pages  visited  from  89 
percent  to  27  percent. 

The  research  has  important  privacy 
implications.  Being  able  to  examine  user 
activity  on  a  healthcare  site  could  reveal 
medical  conditions,  which  could  lead  to 
discrimination  or  which  could  be  sold  to  ad¬ 
vertisers  looking  to  pitch  products. 

Monitoring  traffic  on  a  legal  site  could 
uncover  a  divorce,  a  bankruptcy  or  a  per¬ 
son’s  immigration  status,  while  analyz¬ 
ing  traffic  on  a  banking  site  could  provide 
insight  into  whether  a  person  has  children, 
is  in  a  long-term  relationship  or  is  in  a  high 
income  bracket. 

Any  company  with  access  to  HTTPS  traf¬ 
fic,  such  as  Internet  service  providers  and 
commercial  chains  of  Wi-Fi  access  points, 
could  gather  data  on  users  despite  the  en¬ 
cryption  and  sell  the  information  to  adver¬ 
tisers,  the  study  said. 

Employers  could  moni¬ 
tor  the  activities  of  employ¬ 
ees  while  they  are  on  the 
corporate  network,  regard¬ 
less  whether  they  are  using  a 
personal  or  employer-issued 
device. 

Finally,  governments  could 
use  the  collected  information 
to  find  criminals  and  punish 
political  dissidents  or  people 
who  defy  censors,  the  study 
said.  In  China,  for  example, 
the  social  media  firm  Sina 
recently  punished  more  than 
100,000  users  through  ac¬ 
count  suspensions  and  occa¬ 
sional  public  admonishment 
for  violating  the  government's 
guidelines  for  Internet  use. 

-Antone  Gonsalves 
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Criminals 
On  Tor  Are 
The  Price 
Of  Liberty 

RESEARCH  POINTING  TO 
rising  criminality  on  the  online- 
anonymity  network  Tor  demon¬ 
strates  the  downside  of  having 
a  network  that  protects  the 
identities  of  whistleblowers,  jour¬ 
nalists,  political  dissidents  and 
others  trying  to  avoid  govern¬ 
ment  surveillance. 

Experts  agree  that  nothing 
could  be  done  to  prevent  cyber¬ 
criminals  from  using  Tor  without 
raising  the  risk  to  legitimate 
users.  Recent  research  by  Kasper¬ 
sky  Lab  expert  Sergey  Lozhkin 
found  that  "the  cybercrimi¬ 
nal  element  is  growing”  on  the 
network. 

The  way  Tor  is  used  by  Chinese 
dissidents  to  skirt  the  Great  Fire¬ 
wall  and  oppressive  censorship  is 
the  same  way  that  people  hide 
their  names  when  operating  or 
visiting  marketplaces  and  forums 
where  criminals  can  rent  botnets 
for  DDoS  attacks,  or  when  dis¬ 
tributing  malware,  buying  stolen 
credit  card  numbers  and  launder¬ 
ing  bitcoins,  the  most  widely  used 
currency  on  the  dark  Web. 

"If  it  were  possible  to  stop 
criminals  from  using  Tor,  it  would 
be  useless,”  says  Julian  Sanchez, 
a  research  fellow  at  the  Cato 
Institute.  “After  all,  the  dissidents 
who  use  it  to  protect  themselves 
are  considered  criminals  by  their 
own  regimes.” 


While  the  depth  and  breadth 
of  criminal  resources  on  Tor  are 
not  on  the  same  scale  as  the 
traditional  Internet,  Lozhkin  did 
find  900  hidden  online  services 
and  5,500  nodes  and  1,000  exit 
nodes  used  in  criminal  activity. 

A  node  is  any  processing  loca¬ 
tion  on  a  network.  It  can  be  a 
computer  or  some  other  device. 
An  exit  node  allows  for  exiting 
the  network  to  a  specified  IP 
address  and  port  combination. 

"Like  all  technologies,  Tor  is 
dual  use,"  says  Jerry  Brito,  head 
of  the  Technology  Policy  Program 
at  the  Mercatus  Center  at  George 
Mason  University.  "Fire  can  be 
used  to  cook  and  to  keep  warm, 
but  it  can  be  used  to  destroy  a 
village  as  well.  The  key  is  to  tar¬ 
get  those  who  would  misuse  the 
technology,  and  not  the  technol¬ 
ogy  itself.” 


Jason  Smolanoff,  vice  presi¬ 
dent  of  Stroz  Friedberg,  says 
the  digital  forensics  firm  has 
used  sophisticated  technology 
and  investigative  techniques  to 
identify  individuals  involved  in 
computer  intrusion  and  copyright 
infringement. 

"While  TOR  does  provide  ano¬ 
nymity  on  the  Internet,  it  is  not 
foolproof,  and  many  cybercrimi¬ 
nals  often  leave  other  investiga¬ 
tive  clues  as  to  their  identity  and 
motivation,  and  are  ultimately 
caught  by  investigators,”  Smola¬ 
noff  says. 

One  of  the  most  notorious 
Tor  marketplaces  busted  by  U.S. 
authorities  was  Silk  Road,  which 
was  shut  down  last  year  as  its 
creator  was  arrested  in  San  Fran¬ 
cisco.  Sellers  primarily  traded 
in  illegal  drugs,  with  thousands 
of  listings  for  marijuana,  heroin, 


methamphetamines,  and  more. 

While  Silk  Road-like  opera¬ 
tions  should  not  be  tolerated, 
shutting  down  or  compromising 
Tor  would  have  a  more  serious 
impact  on  society. 

“The  gamble  our  own  gov¬ 
ernment  made  when  funding 
Tor  was  that  a  decentralized 
anonymity  network  resistant  to 
state  power  would  ultimately  be 
enough  of  a  net  benefit  to  global 
liberty  that  it  was  worth  accept¬ 
ing  the  protection  it  would  also 
necessarily  afford  genuine  bad 
actors,”  Sanchez  says. 

Tor  originated  from  a  Navy 
project  aimed  at  protecting  gov¬ 
ernment  communications.  The 
technology  developed  by  the 
Naval  Research  Lab  was  eventu¬ 
ally  used  to  build  the  anonymity 
network  we  see  today. 

-Antone  Gonsalves 
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People  take  part  in  a  2011 
march  for  U.S.  Rep.  Gabrielte 
Giffords  in  Tucson,  Ariz. 
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Keep  a  Weather  Eye  on  Social  Media 

Violent  people  often  signal  their  attacks  beforehand,  and  alert  security  departments 
may  spot  online  threats  in  time  to  head  off  trouble  by  david  geer 


INTERNET  CHATTER  CAN  OFFER 
clues  that  warn  you  of  any  threats  of  violence 
against  your  organization  and  its  employees. 
Here's  why  and  how  security  managers  should 
keep  an  eye  on  social  media. 

Spot  the  Lone  Actor 

Lone  actors  such  as  active  shooters  and 
bombers  target  public  places  like  schools, 
malts  and  movie  theaters,  and  public  events 
like  speaking  engagements.  In  many  cases, 


threats  of  violence  posted  to  social  media 
precede  these  attacks. 

With  this  in  mind,  CSOs  and  CISOs  should 
consider  complementing  their  other  security 
measures  with  social  media  monitoring  in 
hopes  of  spotting  lone  actors  who  plan  to 
carry  out  threats  of  violence  against  the  en¬ 
terprise  or  its  employees. 

Authorities  have  noticed  a  trend  of  strange 
and  threatening  behavior  among  lone  actors 
on  social  media  prior  to  acts  of  violence  such 


as  mass  murders.  For  example,  in  early  2011, 
after  Jared  Lee  Loughner  went  on  a  shoot¬ 
ing  spree  in  Tucson,  Ariz.,  that  killed  six  and 
injured  13,  including  Rep.  Gabrielle  Giffords, 
police  found  more  than  a  hundred  disturbing 
gaming  forum  posts  from  2010  at  the  Earth 
Empires  game  site  and  half  a  dozen  bizarre 
YouTube  videos  that  Loughner  posted  before 
the  attack. 

Certainly,  not  everyone  who  says  bizarre 
and  violent  things  online  will  go  on  to  attack 


Reuters/Eric  Thayer 


people  with  bombings  and  shootings.  But 
no  enterprise  wants  to  miss  a  rash  of  social 
media  threats  against  its  people,  or  catch  one 
and  fail  to  act  on  it. 

The  CISO's  role  is  to  assess  the  risk  from 
threats  of  violence  that  people  post  online,  to 
communicate  that  risk  to  executive  manage¬ 
ment  and  to  help  decide  what  the  company's 
risk  tolerance  is,  says  Dennis  Devlin,  CISO  at 
Savanture.  Then  the  enterprise  must  create 
and  institute  policies  and  programs  to  make 
sure  it  carries  out  the  executive  manage¬ 
ment’s  intent. 

Choose  Monitoring  Tools 

The  enterprise  has  several  tools  at  its  disposal 
that  help  it  monitor  social  media  for  threats 
of  violence,  including  sentiment  and  keyword 
monitoring  tools  like  Hootsuite,  according  to 
Max  Goldberg,  social  media  expert  at  Shme- 
dia  Media.  Hootsuite  lets  users  create  streams 
of  keywords  and  phrases  they  want  to  follow. 

Similar  to  how  typical  social  media  man¬ 
agement  governs  outbound  content,  the 
enterprise  can  monitor  inbound  content,  ac¬ 
cording  to  Goldberg.  Applications  such  as  Bot- 
tlenose  and  SocialMention  use  search-based 
filtering  techniques  to  monitor  social  media 
and  are  useful  for  spotting  threats  of  violence. 

Google  Alerts  are  also  useful  for  monitor¬ 
ing  social  media.  In  addition  to  watching  the 
company's  brand  name,  the  name  of  the 
corporation  and  trademarks  and  slogans,  the 
enterprise  can  automate  alerts  that  include 
executive  and  employee  names  and  words 
and  phrases  commonly  used  in  threats. 

Enterprises  should  train  executives  and 
employees  to  recognize  potentially  serious 
threats  and  respond  accordingly.  It's  impor¬ 
tant  to  have  a  clear  triage  procedure  that 
every  employee  can  follow  in  relation  to  social 
platforms,  says  Goldberg.  The  policies  should 
provide  examples  of  threats  that  people  could 
make  and  carry  out  along  with  examples  of 
what  to  do  about  it. 

Do  a  Threat  Assessment 

“Public  Safety  should  always  be  the  first  con¬ 
tact  for  threats  of  violence,”  says  Devlin.  When 
threats  appear  on  social  media,  public  safety, 


public  relations,  legal,  executive  management 
and  law  enforcement  work  together  to  assess 
the  threat.  The  enterprise  needs  a  well-es¬ 
tablished  plan  to  facilitate  this.  Threat  as¬ 
sessment  must  be  a  collaborative  effort  that 
starts  with  the  public  safety  organization  and 
closely  coordinates  with  information  security, 
HR  and  the  office  of  general  counsel. 


“The  threat  assessment  team  has  to  de¬ 
termine  whether  this  is  someone  acting  up 
or  there  is  some  legitimacy  to  the  threat," 
says  Devlin.  Get  the  IT  department  to  look  at 
where  it  came  from,  because  the  source  of  the 
threat  will  clue  the  enterprise  in  to  other  fac¬ 
tors  for  threat  assessment.  To  determine  how 
genuine  it  is,  get  public  safety  involved.  They 
may  then  get  law  enforcement  involved. 

Ensuring  physical  safety  is  the  highest 
priority,  stopping  further  threats  is  next,  and 
after  that  is  determining  whether  someone 
has  broken  a  law  or  policy,  which  carries  the 
potential  for  prosecution  or  HR  action.  “An 
after-action  review  should  follow  that  to  see 
whether  the  whole  thing  could  have  been  pre¬ 
vented,”  says  Devlin. 

Enlist  Legal  Expertise 

Threats  of  physical  violence  are  easier  to  deal 
with  from  a  legal  standpoint  than  other  types 
of  threats,  says  attorney  Tomas  M.  Flores. 

“You  have  a  civil  injunction  for  the  individual 
if  you  can  identify  them,  and  if  the  threat  is 
sufficient  enough,  that  is  now  a  criminal  mat¬ 
ter  and  you  should  bring  it  to  the  attention  of 
your  local  police  or  prosecutor,"  says  Flores. 

Information  security  and  perhaps  external 
taw  enforcement  will  have  to  collaborate  to 
discover  the  identity  of  a  person  posting  an 
anonymous  threat  on  social  media.  The  infor¬ 
mation  security  group  is  accustomed  to  deal¬ 
ing  with  the  social  media  aspect  and  can  look 
into  technical  evidence  pointing  to  the  perpe¬ 


trator.  The  police  now  have  tools  for  tying  so¬ 
cial  comments  to  real-world  crime,  including 
LexisNexis’  new  Social  Media  Monitor. 

The  prosecutor  can  ask  the  judge  for  a 
criminal  protective  order  prohibiting  the  of¬ 
fender  from  contacting  or  coming  within  300 
feet  of  the  intended  victim.  And  violation  of 
these  court  orders  is  a  crime.  "Prosecutors  love 


violations  of  court-order  crimes,”  says  Flores. 
All  the  person  or  the  enterprise  needs  is  a 
court  order  and  evidence  that  the  offender  is 
making  contact  or  coming  within  300  feet.  If 
the  victim  can  produce  a  photo  of  the  person 
20  feet  away,  then  the  prosecutor  picks  up 
the  phone.  "The  police  go  to  the  defendant  s 
house,  cuff  him  and  throw  him  in  jail  until  the 
hearing,”  says  Flores. 

Keep  Detailed  Records 

Unprepared  victims  can  limit  the  effective¬ 
ness  of  police  and  prosecutors.  In-house  coun¬ 
sel  should  keep  meticulous  records  on  the 
defendant  and  their  conduct.  “If  the  intended 
victim  needs  psychiatric  help  or  they  need 
Xanax  because  they’re  so  panicked  about  this 
person,  those  damages  might  be  recoverable 
from  that  defendant,”  says  Flores. 

In-house  counsel  should  maintain  a  good 
relationship  with  the  watch  commander  of 
local  law  enforcement.  “When  you  call,  be 
very  nice,  work  with  your  detective,  when  the 
detective  calls,  pick  up  the  phone  right  then,” 
says  Flores.  The  police  are  often  very  busy,  and 
armed  robberies  will  take  precedence  over 
corporate  threats. 

"I  would  keep  a  good  relationship  with  a 
local  investigator  as  well.  Private  investigators 
are  often  retired  detectives  and  are  phenom¬ 
enal  at  what  they  do,"  says  Flores. 


■  David  Geer  is  a  freelance  writer  and  regu¬ 
lar  contributer  to  CSO. 


“The  threat  assessment  team  has  to  determine 
whether  this  is  someone  acting  up  or 
there  is  some  legitimacy  to  the  threat,” 

-DENNIS  DEVLIN,  CISO,  SAVANTURE 
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Skills  You  Need 
in  an  SOC  Analyst 

Your  security  operations  center  is  useless  without  people 
who  can  both  code  and  communicate  by  rick  Howard 


BUILDING  A  SECURITY  OPERATIONS 
center  (SOC)  from  scratch  or  revamping  an 
underperforming  one  is  a  daunting  leadership 
challenge.  Of  all  the  tasks  you  have  to  think 
about,  finding  and  hiring  a  set  of  SOC  analysts 
with  the  right  skills  has  to  be  a  top  priority. 

These  people  are  the  last  line  of  defense;  if 
an  adversary  gets  past  your  SOC  analysts,  no¬ 
body  else  in  the  organization  can  find  them. 
You  can  buy  and  deploy  all  the  latest  tools  for 
your  security  stack,  but  if  you  don’t  have  the 
right  people  to  run  them  and  analyze  the  data 
they  generate,  you’re  wasting  your  time. 

You  need  qualified  peopte  to  make  sense  of 


it  all,  and  these  people  have  to  be  experienced 
and  passionate  about  what  they  do.  Folks  like 
these  are  hard  to  come  by,  so  let’s  take  a  look 
at  what  makes  a  top-notch  SOC  analyst. 

The  top  five  entry-level  SOC  analyst  skills: 

1.  Strong  understanding  of  basic  computer 
science:  algorithms,  data  structures,  data¬ 
bases,  operating  systems,  networks,  and  tool 
development. 

2.  Strong  understanding  of  IT:  help 
desk,  endpoint  management  and  server 
management. 

3.  Strong  ability  to  communicate:  write 
clearly  and  speak  authoritatively  to  different 


SKILLS 


CAREER 


audiences  (business  leaders  and  techies). 

4.  Strong  understanding  of  adversary  mo¬ 
tivations:  cybercrime,  hacktivism,  cyberwar, 
espionage  and  cyberterrorism. 

5.  Strong  understanding  of  security  opera¬ 
tions  concepts:  perimeter  defense,  employ¬ 
ee-owned  device  management,  data-loss 
protection,  insider  threats,  kill-chain  analysis, 
risk  assessment  and  security  metrics. 

Top  five  specialties  for  senior  SOC  analysts: 

1.  Strong  understanding  of  vulnerability 
management:  What  are  vulnerabilities,  and 
how  do  we  find  and  mitigate  them? 

2.  Strong  understanding  of  malicious  code: 
reverse  engineering  skills,  practitioner  tactics, 
techniques  of  common  motivations. 

3.  Strong  understanding  of  basic  visualiza¬ 
tion  techniques,  especially  big  data. 

4.  Strong  understanding  of  basic  intelli¬ 
gence  techniques. 

5.  Strong  understanding  of  important  for¬ 
eign  languages:  first  tier:  Chinese,  Russian, 
Arabic  and  Korean.  Second  tier:  Japanese, 
German,  French,  Portuguese  and  Spanish. 

The  skill  that  is  the  hardest  to  find  in  an 
SOC  analyst  is  the  ability  to  communicate:  to 
present  actionable  intelligence  derived  from 
the  raw  information  at  their  fingertips. 

It’s  tough  to  relate  the  impact  of  a  security 
event  to  a  business  leader,  government  leader 
or  techie  if  the  SOC  analyst  cannot  transform 
the  information  into  something  the  audience 
cares  about.  They  can  be  the  smartest  reverse 
engineer  on  the  planet,  but  that’s  useless  if 
they  can’t  translate  geek  speak  into  some¬ 
thing  the  CISO  can  use  to  determine  if  they 
should  dedicate  resources  to  the  problem. 
They  might  have  a  lucrative  career  as  a  cyber¬ 
criminal,  but  they  will  fail  as  an  SOC  analyst. 


■  Rick  Howard  is  the  CSO  of  Palo  Alto 
Networks. 
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No  One  Is  Immune  from  Data  Breaches,  and 
We  Have  to  Make  Everyone  Understand  That 


Perhaps  some  of  the  rise  in  reported  breaches  is  the  result  of 
reporting  laws  coupled  with  advances  in  detection.  As  a  result, 
more  breaches  are  discovered  and  reported;  it  may  not  mean  more 
breaches  are  happening. 

Data  breaches  are  becoming  a  part  of  the  daily  landscape  as  the 
growing  value  of  data  lures  more  and  more  attackers. 


The  Proliferation 
of  Data 

Over  the  past  two  decades, 
the  cost  of  storage  has  de¬ 
creased  as  ease  of  data  col¬ 
lection  has  increased.  Data 
abounds,  and  that  means 
anyone  and  everyone  is  a 
target. 

Organizations  of  all  sizes 
struggle  to  categorize,  store 
and  handle  information. 

It’s  a  growing  business  with 
a  lot  of  potential.  Attack¬ 
ers  see  the  potential,  too. 
Their  investment  is  in  how 
to  find,  extract  and  exploit 
the  data. 


WE  COVERED  FOUR  BREACHES  ON  THE  “DOWN  THE 
Rabbithole”  newscast  this  week.  While  it  started  with  a  brief  dis¬ 
cussion  of  Target,  three  of  the  breaches  were  new,  and  they  weren’t 
limited  by  industry  or  organization  size. 

In  my  book,  Into  the  Breach,  I  wrote  about  breach  as  a  symptom. 
Now  we  see  evidence  of  a  widening  gap  between  the  perception 
and  reality  of  data  breach¬ 
es.  Organizations  continue 
to  believe  they  are  neither 
targeted  nor  likely  to  suc¬ 
cumb  to  attack.  They  delude 
themselves  into  thinking 
that  either  they  can  invest 
enough  to  prevent  breaches 
or  their  profile  keeps  them 
under  the  radar. 

The  operating  reality  of 
breaches  that  they’re  no 
longer  a  question  of  if,  but 
when. 

The  Reality: 

When  a  Breach 
Happens  to  You 

According  to  Thomas  Rea¬ 
gan,  the  large  risk  under¬ 
writer  for  Beazley's  Breach 
Response  Insurance,  the 
number  of  reported  data 
breaches  is  on  the  rise.  This 
includes  the  over  500  data 
breaches  the  company  han¬ 
dled  in  2013. 

Reagan  explained  that 

“organizations  have  not  fully  come  to  grips  with  the  reality  that 
it’s  not  if,  it’s  when.  There’s  still  this  notion  that  they  can  prevent 
breaches  from  happening,  or  this  doesn’t  apply  to  them.  That 
they’re  not  an  organization  in  the  crosshairs.” 


Newfound  Awareness  and  Reporting 

While  the  number  of  reported  breaches  is  increasing  each  year, 
Reagan  pointed  out  that  it  is  too  soon  to  tell  if  the  overall  rate- 
that  is,  the  percentage  of  companies  experiencing  data  breach-is 
increasing. 


The  Road  Ahead 

It’s  time  to  encourage  a  shift 
in  thinking.  We  need  to  close 
the  gap  between  perception 
and  reality.  Breaches  are  the 
reality.  Organizations  of  all 
sizes  need  to  consider  that 
and  act  accordingly. 

We  need  to  continue  to  explore  and  discuss  where  the  harm  re¬ 
ally  is.  Ultimately,  it  leads  to  different  ways  of  thinking  about  and 
protecting  information.  It  means  organizations  need  to  consider 
how  to  implement  Minimum  Viable  Security. 

We  need  more  transparency.  That  likely  means  changing  compa¬ 
nies’  ability  to  describe  what  happened,  and  perhaps  assign  liabil¬ 
ity  to  an  inability  to  explain  what  went  wrong.  Instead  of  mocking 
and  castigating  mistakes,  we  must  draw  on  what  happened  to  im¬ 
prove  the  fate  of  others. 

-Michael  Santarcangelo 
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James  Yang,  director 
of  disaster  recovery 
for  global  information 
security  at  Cummins 


Cummins: 

Using  Logic  to  Protect 
Business-  Critical  Assets 

The  company’s  effort  to  create  a  new  IT  Operational  Resilience 
risk-management  practice  earned  it  top  honors  in  the  second 
annual  CSO40  awards,  which  recognize  security  projects 
that  deliver  outstanding  business  value  By  Bob  Violino 


CUMMINS  IS  A  FORTUNE  500  CORPORA- 
tion  of  complementary  business  units  that 
design,  manufacture,  distribute  and  service  en¬ 
gines  and  related  technologies,  including  fuel 
systems,  controls,  air  handling,  filtration,  emission  solu¬ 
tions  and  electrical  power  generation  systems. 

Like  many  other  global  enterprises,  the  com¬ 
pany  is  looking  for  ways  to  better  manage  and 
mitigate  IT-related  risk.  Cummins  employs  about 
48,000  people  worldwide  and  serves  customers  in 
about  190  countries  and  territories  through  a  net¬ 
work  of  more  than  600  company-owned  and  in¬ 
dependent  distributor  locations  and  6,500  dealer  locations. 

The  company  in  2013  set  out  to  establish  a  Cummins  IT 
Operational  Resilience  risk-management  practice  based  on 
the  business  criticality  of  key  applications  and  infrastruc¬ 
ture.  One  of  the  drivers  was  to  have  the  ability  to  more  easily 
enable  disaster  recovery  (DR)  planning  on  critical  systems. 


‘DR,  like  security,  for  business-critical  systems  should  no 
longer  be  an  option  and  should  be  part  of  architecture  plan- 
ningprocess,”  says  James  Yang,  director  of  disaster  recovery 
for  global  information  security  at  Cummins. 

The  effort  began  when  Cummins  leaders  decided  that 
they  needed  a  better  way  to  classify  the  business 
value  their  IT  assets  provided.  The  majority  of  IT 
asset  owners  from  various  business  units  were 
claiming  that  their  applications  were  critical  to 
the  business,  from  both  operational  and  risk-man¬ 
agement  perspectives.  “If  everything  is  important, 
then  nothing  really  is,”  Yang  says. 

The  strategic  objectives  of  the  practice  were  to  classify  IT 
assets  by  business  criticality,  establish  and  maintain  busi¬ 
ness  resilience  standards,  implement  ongoing  assessments 
of  key  business  systems  against  standards,  and  ensure  that 
business  and  IT  leadership  make  informed  risk-manage¬ 
ment  trade-offs,  Yang  says. 


Other 
honorees 
starting  on 
page  18 
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“It  became  very  apparent  that  Cummins  must  have  a  ho¬ 
listic,  prioritized  and  business-agreed  list  of  IT  assets  by 
their  contribution  to  critical  business  activities,”  Yang  says. 

The  primary  purpose  of  creating  a  business-criticality- 
driven  IT  framework  was  to  enable  the  business  by  man¬ 
dating  that  business  criticality  assessment  be  a  key  driver 
and  an  integral  part  of  IT  planning,  system  development, 
deployment  and  support  processes. 

The  program  was  launched  with  the  company’s  CIO  and 
staff  involved  in  the  planning  and  execution  of  the  program. 
Cummins’  IT  department  is  working  with  business  repre¬ 
sentatives  for  the  ongoing  maintenance  of  the  program. 

Many  organizations  and  consulting  agencies  focus  solely 
on  facilitating  sessions  for  executives  in  various  business 
functions  to  identify  and  prioritize  potential  threat  sce¬ 
narios  by  likelihood.  Upon  finalizing  the  prioritized  list, 
relevant  parties  are  assigned  responsibilities  to  mitigate 
those  risks. 

While  this  approach  might  seem  logical,  it  actually  has  a 
few  significant  flaws,  Yang  says.  First,  the  executives  usu¬ 
ally  cannot  provide  empirical  data  other  than  citing  recent 
events  or  news  headlines. 

Second,  because  this  approach  encourages  executives 
to  think  of  only  the  most  likely  threat  scenarios,  it  does  not 
help  the  organization  in  defending  itself  against  a  Black 
Swan  event— one  that  escalates  beyond  what’s  expected 
of  a  situation  and  so  is  very  difficult  to  predict. 

Third,  any  risk  remediation  initiatives  that  result  from 
this  type  of  exercise  are  usually  specific  to  a  business  func¬ 
tion  or  facility  and  cannot  be  compared  side-by-side  to 
provide  a  holistic  view  of  risk. 

Other  enterprises  that  avoid  this  approach  conduct  busi¬ 
ness-impact  analyses  (BIA),  Yang  says,  but  the  results  of 
these  studies  are  often  difficult  to  quantify  and  compare 
across  the  enterprise. 

“Some  enterprises  classify  their  assets  and  provide 
respective  risk  treatments  per  class,  but  they  are  dumb¬ 
founded  with  their  mission-  and  business-critical  assets 
representing  40  percent  to  60  percent  of  the  overall  port¬ 
folio,”  Yang  says. 

Research  and  analysis  firms  Gartner  and  Forrester  Re¬ 
search  both  recommend  that  mission-  and  business-  criti¬ 
cal  assets  should  be  kept  at  20  percent  or  less  of  the  overall 
portfolio,  Yang  says. 

Rather  than  doing  an  informal  threat  analysis,  Cummins 
leans  on  what  the  executives  know  and  do  best — the  busi¬ 
ness.  Framing  questions  to  be  business-oriented  yields 
much  more  enthusiastic  responses  from  executives  be¬ 
cause  they  want  to  protect  and  sustain  assets  that  support 
critical  business  activities. 

Cummins  ’  version  of  a  BIA  questionnaire  consists  of  just 


eight  questions,  which  have  multiple-choice  answers,  Yang 
says.  But  it  is  extensive  enough  to  capture  both  qualitative 
and  quantitative  risks.  Cummins  made  its  BIA  question¬ 
naire  a  simple  yet  powerful  way  to  catalog  and  rank  any 
assets  (IT  systems,  business  processes  or  facilities),  re¬ 
gardless  of  size  and  purpose. 

The  BIA  would  divide  IT  systems  into  distinct  business- 
criticality  classes,  where  class-specific  requirements  would 
be  used  as  the  governing  factors  for  process,  application, 
data,  infrastructure  and  facility  standards  compliance. 

Phase  one  of  the  BIA  was  to  classify  IT  assets  by  busi¬ 
ness  criticality. 

“By  minimizing  the  number  of  questions ,  business  execu¬ 
tives  can  spend  less  than  30  minutes  completing  the  BIA 
questionnaire,”  Yang  says. 

The  pre-written  answers  and  large  sample  sizes  help 
minimize  human  bias.  “Using  the  ‘direct  revenue’  ques¬ 
tion  as  an  example,  even  though  answers  from  executives 
can  vary  as  much  as  $4  million,  we  would  still  get  consistent 
scoring  output,”  Yang  says. 

A  weighted  point  system  gives  risk  professionals  a 
chance  to  weigh  in  on  which  question  matters  most  to  the 
organization.  The  outcome  is  a  two-dimensional  business 
criticality  matrix  that  provides  a  holistic  view  of  IT  assets, 
where  colors  represent  classes  of  business  criticality. 

The  matrix  is  a  scatter  plot  that  gives  senior  manage¬ 
ment  a  dashboard-style  view  of  how  any  IT  asset  is  posi¬ 
tioned  in  terms  of  business  criticality. 

By  classifying  assets  this  way,  resilience  standards  can 
easily  be  enforced  and  audited  to  reduce  operational  risks. 
Most  important,  the  business-criticality-driven  IT  frame¬ 
work  provides  an  objective  frame  of  reference  during  the 
strategic  decision-making  process,  to  keep  bad  invest¬ 
ments  at  the  lowest  level,  Yang  says. 

Phase  two  of  the  BIA  was  to  establish  and  maintain  busi¬ 
ness  resilience  standards,  thereby  lowering  the  availability 
risk.  Cummins  paid  extra  attention  to  avoid  a  one-size- 
fits-all  approach,  “because  standards  to  safeguard  critical 
assets  should  depend  largely  on  the  business  value  they 
provide,”  Yang  says. 

Also,  having  resilience  retrofitted  into  a  system,  rather 
than  incorporated  during  the  design  phase,  costs  more 
and  yields  a  less  flexible  result.  The  established  standards, 
therefore,  are  mandated  as  key  activities  in  every  budget 
during  its  early  planning  stages  to  ensure  funding  and  es¬ 
tablish  a  project  lifecycle. 

Phase  three  was  implementing  ongoing  assessments  of 
key  business  systems  against  standards.  For  new  projects, 
responsibility  for  complying  with  resilience  standards  and 
risk  tracking  now  belongs  to  the  project  owners,  a  shift 
made  possible  by  the  establishment  of  business  criticality 
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“Standards  to 
safeguard  critical 
assets  should 
depend  largely  on 
the  business  value 
they  provide.” 

-JAMES  YANG,  DIRECTOR  OF  DISASTER  RECOVERY 
FOR  GLOBAL  INFORMATION  SECURITY,  CUMMINS 

classes,  IT  standards,  and  a  budget-integrated  risk  identi¬ 
fication  and  mitigation  process. 

For  deployed  assets,  the  compliance  assurance  organiza¬ 
tions  conduct  annual  gap  assessments  to  compare  exist¬ 
ing  capabilities  against  the  defined  resilience  standards.  A 
gap-assessment  scorecard  was  developed  to  help  provide 
visibility  over  whether  individual  asset  owners  abide  by  the 
established  IT  standards. 

“Inside  Cummins,  the  framework  broke  down  many  silos, 
motivated  individuals  of  all  organizational  levels  to  march 
toward  the  same  goal,  and  these  efforts  are  transforming 
Cummins  IT  to  align  closer  to  the  business,”  Yang  says. 

Eight  months  into  the  project,  leaders  from  different 
departments  started  seeing  the  common  good  of  the  pro¬ 
gram.  Executives  from  shared  services  organizations  and 
compliance-assurance  departments  began  embracing  the 
effort.  They  saw  potential  for  improving  areas  such  as  proj¬ 
ect  management  methodology,  release  management  and 
budget  planning. 

The  Web  application  support  group  revised  its  service- 
level  agreement  and  renegotiated  supplier  contracts  to  per¬ 
manently  place  business  criticality  into  consideration,  and 
the  compliance-assurance  organizations  in  the  company 
adopted  the  framework  to  scrutinize  assets  that  are  classi¬ 
fied  as  mission-  and  business-critical. 

“We  leveraged  the  scoring  from  the  BIA  along  with  other 
parameters  to  achieve  a  tiered  application  support  model, 
whereby  applications  are  grouped  in  five  levels  from  mis¬ 
sion  critical  to  low  criticality  impact  on  the  business,”  says 
Bob  Ertel,  director  of  the  global  Web  center  at  Cummins. 
“This  enabled  us  to  focus  our  efforts  on  applications  most 
important  to  the  business,  make  investments  accordingly 
and  reduce  our  overall  support  cost.” 

“With  the  standards  ingrained  into  IT  operations,  the 


framework  creates  a  virtuous  cycle  that  can  continue  to 
O  improve  the  operational  risk  landscape,”  Yang  says.  “In 
addition,  the  ability  of  this  framework  to  create  a  risk- aware 
culture  and  to  mobilize  everyone  to  shoulder  the  burden 
of  managing  risks  is  a  major  value-add  and  should  not  be 
overlooked.” 

The  business-criticality-driven  approach  to  system  re- 
6  siliency  and  the  associated  awareness  across  Cummins  IT 
has  advanced  the  cause  of  system  resiliency  and  require¬ 
ments  for  project  planning  to  a  great  degree,  Yang  says. 

“The  results  of  this  work  served  to  raise  the  visibility  of 
X  DR  and  IT  system  resiliency  planning  to  the  highest  levels 
ever  achieved  in  Cummins  IT,”  says  Jerry  Pittman,  director 
of  global  information  security  at  C  ummins . 

The  process  enables  not  just  a  select  few  risk  profession¬ 
als,  but  all  stakeholders  in  the  organization  to  prioritize 
corporate  assets  by  business  value;  use  a  common  lan¬ 
guage  to  communicate  about  availability  risk;  assess  ca¬ 
pability  gaps  of  mission-critical  assets  and  mitigate  those 
risks  accordingly;  and  provide  actionable  and  auditable 
scorecards  that  measure  the  existing  capability  against 
defined  resilience  standards. 

The  company  can  eliminate  redundancy  and  reduce 
costs  by  translating  resilience  standards  into  common 
reusable  solutions  and  driving  risk-aware  investment- 

prioritization  decisions. 

X 

Cummins  faced  a  few  challenges  in  deploying  the  frame¬ 
work,  including  getting  all  key  stakeholders  to  sign  off  on  it . 

X 

“This  initiative  spans  the  whole  enterprise.  To  gain  buy- 

X 

ins  from  executives  throughout  the  organization,  many 
hours  were  devoted  to  communicating  the  vision  and  as¬ 
sociated  benefits,”  Yang  says. 

The  Cummins  framework  has  been  well  received  outside 
the  organization  as  well.  It  was  recognized  by  Gartner  as 
“fantastic...one  of  the  more  advanced  frameworks  in  the 
industry,”  says  Yang.  The  effort  was  touted  in  the  Disaster 

: 

Recovery  Journal’s  SpringWorld  2013  conference,  “Trans¬ 
form  Your  Organization  to  be  Business  Criticality  Driven,” 
among  other  honors . 

The  three-year  program  is  scheduled  to  run  through  the 
<  end  of  this  year,  and  has  kept  on  schedule.  The  remaining 
tasks  are  related  to  expanding  resiliency  standards  and  es¬ 
tablishing  a  formal  risk-reporting  process. 

Beyond  that,  Cummins  declines  to  discuss  any  future 
§  efforts  to  manage  risk.  But  with  its  project  progressing 
smoothly  and  being  applauded  both  inside  and  outside  the 
organization,  the  company  appears  to  be  well  on  its  way  to 
meeting  its  goals. 

■  Bob  Violino  is  a  freelance  writer  and  editor.  He  can  be  reached 
at  bviolino@optonline.net. 
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More  winners... 

39  more  projects  recognized  for 
outstanding  business  value 

BY  BOB  VIOLINO,  MARY  BRANDEL  AND  LAUREN  PAUL 


ADP 

PROJECT:  Client  Security 
and  Privacy  Advisory  Board 
LEADERS:  Roland  Clout¬ 
ier,  CSO;  Devon  Bryan,  vice 
president  of  Global  Trust  Assurance 
DESCRIPTION:  The  Client  Security  and  Pri¬ 
vacy  Advisory  Board  is  intended  to  encom¬ 
pass  the  full  spectrum  of  the  information 
professional  market,  with  representation 
from  the  major  business  segments,  major 
geographical  regions,  and  key  strategic 
partnerships  and  alliances.  The  board  pro¬ 
vides  ADP’s  security  division  with  an  oppor¬ 
tunity  to  evaluate  its  strategic  direction  and 
near-term  goals.  The  board’s  expert  advice 
will  advance  ADP’s  defined  strategy.  With 
this  advisory  board  in  place,  the  security 
division  has  access  to  global  expertise  and 
wisdom  that  can  dramatically  improve  the 
company's  security  posture. 

BUSINESS  VALUE:  Countless  organizations 
create  and  engage  with  client  advisory 
boards  to  gather  candid  and  valuable  input 
from  highly  motivated  experts.  ADP  realized 
that  within  its  large  and  diverse  customer 
base,  it  has  unique  access  to  a  global  set 
of  security  experts  and  wisdom  that  could 
dramatically  improve  its  own  security 
posture-not  just  for  its  clients,  but  for  the 


<>  greater  ADP  organization  and  business  lines. 

Among  the  key  benefits  are  an  accelerated 
6  effort  to  implement  a  federated  single  sign- 
on  engine  across  ADP  products,  thereby 
reducing  the  number  of  passwords  at  risk  in 
the  marketplace,  and  a  formalized  effort  to 
A  make  ADP’s  security  operations  center  more 
transparent  to  key  client  advisors. 

Astellas 

PROJECT:  SAP  Security 
Governance  Program 
LEADERS:  Kevin  O’Toole, 

CIO;  Scott  Zulpo,  senior 
director  of  IT  operations;  Anand  Pattabira- 
man,  overall  program  lead 
DESCRIPTION:  Astellas  developed  a  road 
x  map  to  enable  an  organized,  efficient  and 
transparent  framework  for  managing  SAP 
security  and  data  risks.  The  road  map  is 
based  on  leading  practices  for  managing 
user  access  and  security  in  an  SAP  environ¬ 
ment  and  leverages  SAP’s  GRC  Access  Con- 
Y  trol  10.0  and  Master  Data  Governance  appli¬ 
cations  to  standardize  and  automate  critical 
processes  across  the  SAP  environment, 
g  BUSINESS  VALUE:  The  value  of  the  project 
X  goes  beyond  managing  security  and  data 
v  risks  in  the  SAP  environment  to  establish¬ 
ed  ing  a  framework  for  ensuring  a  safe  and 


controlled  SAP  platform  for  the  business 
to  operate  in.  By  implementing  leading 
6  security  and  master  data  management 
processes  and  advanced  SAP  supporting 
6  technologies,  Astellas  is  setting  the  founda¬ 
tion  for  the  organization  to  achieve  its  goal 
of  operational  and  regulatory  compliance 
excellence.  The  benefits  include  reduced 
A  fraud  and  compliance  risk;  reduced  risk 
of  inappropriate  access  to  the  system; 
a  increased  efficiency  by  implementing  lead¬ 
ing  practice  policies,  developing  procedures 
for  managing  access  to  SAP  and  eliminat- 
a  ing  time-consuming  manual  activities;  and 
enhanced  ability  to  proactively  manage 
segregation  of  duties  and  sensitive  access 
risks  before  access  is  given  to  users. 


Atlantic  Health 
System 

PROJECT:  Workplace  Vio¬ 
lence  Reduction  Strategies 
LEADER:  Alan  Robinson, 

director  and  CSO  of  the  Protection  and 
Security  Services  Emergency  Management 
Department 

DESCRIPTION:  The  Protection  and  Security 
Services  Emergency  Management  Depart¬ 
ment  is  responsible  for  ensuring  that 
Atlantic  Health  System's  (AHS)  Workplace 
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Violence  Prevention  program  prevents, 
mitigates,  responds  to  and  recovers  from 
all  threats  or  incidents  of  workplace  vio¬ 
lence.  The  strategies  used  include  perimeter 
security,  technology,  training,  intelligence 
gathering,  and  analytics,  both  internal  and 
external.  AHS  uses  its  Red  Cell  survey  pro¬ 
gram  to  identify  and  address  potential  secu-  <> 
rity  flaws  and  address  vulnerabilities  quickly  <S 
and  effectively.  All  workplace  violence 
incidents  are  recorded  in  an  incident  report 
and  workplace  violence  form.  All  forms  are 
reviewed  by  security,  occupational  safety 
and,  if  necessary,  by  the  Workplace  Violence 
Prevention  committee.  As  a  result,  various 
mitigation  strategies  have  been  identified 
and  implemented. 

BUSINESS  VALUE:  Successes  have  included 
a  17  percent  reduction  in  workplace  violence  a 
incidents  and  a  42  percent  reduction  in  days  ;> 
employees  missed  work  as  result  of  work¬ 
place  violence  in  2013. 

Baptist  Health  X 
South  Florida 

PROJECT:  Role-Based 

Y 

Security 

LEADERS:  Mimi  Taylor,  CIO 

and  corporate  vice  president;  Allen  Gianna- 
kopoulos,  corporate  director  of  IT  process 
DESCRIPTION:  Role-Based  Security  was  initi-  X 
ated  as  a  paper  system  years  ago  to  control 
access  to  applications  at  the  job  code  level. 

Since  then,  Baptist  Health  South  Florida  has 
instituted  an  automated  system  that  man¬ 
ages  the  complex  structure  of  maintaining 
the  application  access  of  all  employees  into 
only  those  applications  that  they  have  the 
appropriate  credentials  to  access. 

BUSINESS  VALUE:  Today,  Baptist  Health  has 
more  than  14,500  employees,  3,000  allied 
health  professionals,  1,000  volunteers,  600 
contractors  and  vendors  spread  over  six 
hospital  campuses,  18  urgent  care  centers, 
and  six  administrative  campuses.  Construe-  X 
tion  of  client  identification  for  access  begins 
when  a  new  client  is  added  to  the  compa¬ 
ny’s  human  resources  system.  This  approved 
event  then  triggers  a  process  where  the  user's 

IDs  are  built  according  to  the  specifications  of  > 

o 

the  Role-Based  Security  program.  0 


j'-’*  Blue  Cross 

Blue  Shield 
of  Michigan 

PROJECT:  Vendor  Risk  Man- 
agement  program 

LEADERS:  Tonya  Byers,  director  of  informa¬ 
tion  security;  Damon  Stokes,  manager  of 
governance,  risk  and  performance;  and  Jen¬ 
nifer  Fox,  team  lead  of  governance,  risk  and 
performance 

DESCRIPTION:  The  Vendor  Risk  Manage¬ 
ment  (VRM)  program  within  the  IT  division 
at  Blue  Cross  and  Blue  Shield  of  Michigan 
(BCBSM)  performs  assessments  of  key  pro¬ 
cesses  and  controls.  As  part  of  its  ongoing 
planning  process,  the  VRM  team  assesses 
vendors  with  whom  it  has  strategic  partner¬ 
ships.  The  processes  and  controls  in  place  at 
vendor  locations  play  an  important  role  in 
maintaining  the  overall  security  of  BCBSM 
data.  With  the  changes  set  forth  under  the 
Health  Information  Technology  for  Eco¬ 
nomic  and  Clinical  Health  Act,  BCBSM  has 
increased  its  attention  to  information  secu¬ 
rity  controls  that  involve  the  transmission, 
storage  and  handling  of  protected  health 
information  and  other  sensitive  member 
information. 

BUSINESS  VALUE:  With  each  assessment, 
the  VRM  program  delivers  increasing  value 
to  the  organization.  Procurement,  legal, 
security  architecture  and  IT  audit  have  direct 
visibility  into  vendor  documents  and  risks. 
During  the  life  of  the  program,  VRM  analysts 
have  finalized  more  than  260  vendor  risk 
reports,  including  180  on-site  visits.  Some 
1,200  vendor  risks  have  been  identified  and 
tracked  to  completion. 

W/HgKKM  Blue  Cross 
M  Blue  Shield 
^  j  of  Ill.,  Texas, 

id  okla-»N-M*> 

Hhiim  and  Mont. 

PROJECT:  Enterprise  Authentication  and 
Authorization  Service  Development 
LEADERS:  Ray  Biondo,  divisional  senior  vice 
president  and  CISO;  Thomas  Baltis,  execu¬ 
tive  director  of  IT  governance,  security  and 
risk  management;  Pavel  Slavin,  director  of 
risk  management;  Kapil  Assudani,  senior 


<>  manager  of  the  Technical  Security  Service 
Program 

DESCRIPTION:  The  Enterprise  Authentica¬ 
tion  and  Authorization  Service  Development 
project  established  a  standard,  centralized 
and  scalable  solution  for  managing  access 
to  Web  and  mobile  applications  across  the 
‘  enterprise. 

BUSINESS  VALUE:  The  project  boosted 
employee  productivity  by  dramatically 
reducing  the  amount  of  time  users  spend 
logging  in  to  various  applications,  and 
X  it  reduced  operational  and  project  costs 
by  offering  a  prebuilt  authentication  and 
authorization  solution  to  new  application 
development  initiatives,  eliminating  redun¬ 
dant  solutions  to  improve  manageability 
and  reducing  the  number  of  access-related 
calls  to  the  help  desk.  It  also  enhanced 
application  security  and  reliability  by  elimi¬ 
nating  weak  security  credentials  and  reduc¬ 
ing  the  number  of  passwords  that  users 
need  to  remember.  And  it  eliminated  perva¬ 
sive  control  weaknesses  by  moving  security 

functionality  from  individual  applications  to 

X 

a  centralized  enterprise  solution. 

X 

Boeing 

PROJECT:  ThreatNavigator 
LEADERS:  Dave  Komen- 

dat,  vice  president 
and  CSO;  Krysta  Teker, 

finance  manager 

DESCRIPTION:  ThreatNavigator  is  a  geo- 
intelligence  application  developed  by  Boe¬ 
ing  and  its  business  partners.  It  provides  the 
y  ability  to  overlay  real-time  risk  and  threat 
data  with  Boeing  asset  data  (such  as  build- 
y  ings,  people,  IT  assets,  suppliers)  to  be  bet- 
x  ter  positioned  to  respond  to  a  serious  event 
or  disaster.  The  integrated  tool  identifies 
possible  threats  to  Boeing  people,  property, 
assets  or  the  supply  chain.  Any  of  these 
events  could  put  Boeing's  employees  and 
operations  at  risk  and  affect  its  production 
9  capability,  economic  health,  contractual 

O 

commitments,  safety  and  regulatory  com¬ 
pliance,  competitive  position  and  corporate 
reputation.  ThreatNavigator  helps  emer- 
9  gency  responders  provide  a  holistic  response 
to  an  incident  or  disaster. 
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Sujata  Ramamoorthy,  director 
of  information  security 

director  of  Information  se¬ 
curity  at  Cisco. 

USMaimsto  remove 
inconsistencies  in  security 
analysis,  metrics  and  com¬ 
munication,  and  to  improve 
transparency  and  enhance 
the  information  that  se¬ 
curity  clients  receive  by  pro¬ 
viding  detailed  metrics  on 
their  network  activity. 

USM  uses  five  techni¬ 
cal  measures  that  give 
relevant,  quality  data: 
stack  compliance,  antivirus 
compliance,  baseline  ap¬ 
plication  vulnerability  as¬ 
sessment,  deep  application 
vulnerability  assessments 
and  design  exceptions. 

These  five  measures  are 
used  to  find  two  key  secu¬ 
rity  metrics,  the  vulnerabil¬ 
ity  metric  and  the  on-time 
closure  metric. 

“Any  organization  with 
important  data  stored 
on  their  network  will  find 
value  in  USM,”  Ramamoor¬ 
thy  says.  “USM  helps  to 
protect  against  potentially 
damaging  security  threats 
of  all  types.” 


identified  and  removed. 
“This  greatly  improves  the 
accuracy  and  fidelity  of  the 
ACLs  in  production,”  Mac 
Alasdair  says. 

In  addition,  the  use  of 
abstraction— isolating  IT 
users  and  service  owners 
from  the  technical  specif¬ 
ics  of  ACLs,  their  nomen¬ 
clature  and  the  variable 
syntax  necessary  in  sup¬ 
porting  many  platforms-is 
expected  to  deliver  signifi¬ 
cant  long-term  benefits, 
including  an  additional 
34  percent  operational 
dividend. 

Other  intangible  benefits 
include  improved  security, 
brought  about  by  having 
fewer  service-impacting  in¬ 


cidents;  higher  availability, 
through  surgical  insertion 
of  ACEs  rather  than  whole¬ 
sale  ACL  replacement;  and 
native  support  for  Cisco  Ap¬ 
plication  Centric  Infrastruc¬ 
ture  (ACI). 

On  another  security 
front,  Cisco  has  developed 
Unified  Security  Met¬ 
rics  (USM),  a  project 
aimed  at  giving  organiza¬ 
tions  more  insight  into  the 
state  of  their  security  so 
they  can  be  more  proac¬ 
tive  with  their  security 
measures. 

“The  idea  is  that  it  is  al¬ 
ways  better  to  prevent  fires 
rather  than  to  put  them 
out  every  time  they  occur,” 
says  Sujata  Ramamoorthy, 


Cisco 

DOUBLE  WINNER 

CISCO  HAS  DEVELOPED 
a  tool  to  deliver  abstrac¬ 
tion  and  automation  to  the 
management  of  its  increas¬ 
ingly  complex  global  set  of 
access-control  lists  (ACL). 
The  Enterprise  ACL 
Management  tool  not 
only  acts  as  a  single  source 
of  truth  for  all  ACLs,  but 
also  greatly  improves  ACL 
accuracy,  delivery,  updates 
and  so  on. 

“Automation  alone 
has  delivered  a  51  per¬ 
cent  reduction  in  time  to 
execute  ACL  changes,” 
says  Oisin  Mac  Alasdair,  a 
member  of  the  technical 
staff  and  the  security  prime 
for  networking  at  Cisco. 
This  alone  has  resulted  in 
a  $150,000  reduction  in 
outside  services  costs,  and 
an  additional  $200,000  re¬ 
duction  in  headcount  costs 
for  operational  staff,  Mac 
Alasdair  says. 

The  adoption  of  the  tool, 
and  the  controls  and  error 
checking  it  provides,  have 
also  resulted  in  more  than 
17,000  malformed  access- 
control  entries  (ACE)  being 


BUSINESS  VALUE:  Based  on  estimates  from 
managing  real  emergency  events  with  and 
without  ThreatNavigator,  user  productivity 
improved  by  at  least  80  percent.  Because  of 
the  aggregated  data  visually  displayed  on 
a  map,  an  emergency  responder  can  react 
within  30  seconds  to  situations  that  took 
several  hours  or  days  to  respond  to  before. 
User  efficiency  and  effectiveness  has  been 
increased  because  of  the  ability  to  view  key 
data  in  a  single  integrated  format.  Faster 


analysis  before  an  event  and  reaction  to  an 
event  helps  ensure  employee  safety  and 
lessen  operational  impact. 


Children’s 
Healthcare 
of  Atlanta 

PROJECT:  Mobile  Device 
Policy  Implementation 
LEADERS:  Praveen  Chopra,  CIO;  Robert  Dal- 
rymple,  manager  of  information  security; 


x 

y>  Monique  Hart,  manager  of  information 
security;  Jessica  Krueger,  project  consultant 
for  finance;  Stoddard  Manikin,  director  of 
information  security 

DESCRIPTION:  The  project's  objective  was 
v  to  promote  mobile  device  flexibility  and 
$  user  mobility  while  ensuring  protection  of 
patient  data,  as  well  as  standardizing  the 
$  stipend  reimbursement  process  for  eligible 
O  employees.  The  organization  embarked  on 
O  the  initiative  to  implement  a  mobile  device 
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management  process  and  solution,  which 
would  allow  clinical  and  business  users  to 
leverage  company-owned  or  employee- 
owned  mobile  devices  while  minimizing  risks 
to  the  organization. 

BUSINESS  VALUE:  Ultimately,  the  project 
provided  the  means  for  securing  informa¬ 
tion  allowed  onto  approved  mobile  devices 
while  also  enabling  flexibility  by  facilitating 
user  choice  and  streamlining  the  financial 
reimbursement  procedure.  The  organiza¬ 
tion  was  able  to  successfully  provide  secure, 
compliant  mobile  device  access  to  its  infor¬ 
mation  resources  to  provide  a  foundation  to 
support  new  business  initiatives,  including 
telemedicine,  in-home  therapy  services,  and 
accepting  credit  card  donations  at  events. 


Robert  Irwin,  director  of 
governance  and  compliance 


It  also  replaced  the  existing  receipt-based 
O  reimbursement  process  with  a  standard 
X  stipend  approach;  consolidated  multiple 
types  of  mobile  device  requests  into  a  single 
request  form  on  a  mobile  device  portal;  and 
defined  the  obligation  and  time  frame  for 
employees  to  notify  the  organization  of  any 
X  accidental  loss  or  theft  of  a  device. 

City  University 
of  Hong  Kong 

PROJECT:  Security 
Information  and 

ftSEPH:  Event  Management 

(SIEM)  Implementation 

<  LEADERS:  Dr.  Andy  Chun,  CIO;  Vincent  Yiu, 
X  IT  security  manager;  Manfred  Chan,  senior  IT 


officer;  Alex  Lam,  IT  officer 
X  DESCRIPTION:  With  proliferating  mobile 
devices,  larger  numbers  of  network  and 
X  security  devices  to  log  and  monitor,  and 
increased  hacking  of  universities  in  general, 
CityU  felt  it  was  necessary  to  create  a  SIEM 
system  to  protect  its  valuable  electronic 
X  assets. 

BUSINESS  VALUE:  One  immediate  ben¬ 
efit  was  a  marked  reduction  in  manpower 
X  requirements,  particularly  for  troubleshoot¬ 
ing.  Turnaround  times  when  investigat¬ 
es  ing  anomalies  have  also  improved,  from 
weeks  to  hours.  The  platform  allows  new 
rules  to  be  easily  introduced  to  catch  future 
S  incidents  in  progress  rather  than  remedy¬ 
ing  them  afterwards.  Coverage  is  being 


Comcast 


ACHIEVING  AND 
maintaining  PCI/SOX 
compliance  in  today’s 
complex  world  has  be¬ 
come  an  increasingly 
arduous  task.  At  Com¬ 
cast,  compliance  was 
very  much  auditor-driven 
and  burdensome  for 
systems  administrators, 
who,  several  times  per 
year,  had  to  respond  to 
requests  for  information 
and  validate  controls 
while  also  fulfilling  their 
primary  responsibilities 
for  keeping  systems  up 
and  running. 

To  address  this, 
Comcast  created  the 
Compliance  Automation 
project  to  increase  ef¬ 
ficiency  and  improve  the 
processes  that  maintain 
compliance  across  the 


company.  Through  the 
automation  program, 
Comcast  hoped  to  meet 
the  recurring  need  for 
information  by  pulling 
it  directly  from  the  ap¬ 
plications  themselves 
and  by  providing  simple 
questionnaires  for  ad¬ 
ministrators  to  complete 
on  their  own  time. 

Through  careful 
planning,  transparent 
communication  and  col¬ 
laboration-combined 
with  senior  manage¬ 
ment’s  vision,  support 
and  focus— Comcast  de¬ 
livered  a  quality 
PCI/SOX  compliance 
project  on  time  and 
within  budget.  The  PCI 
component  was  released 
in  March  2013,  and  the 
SOX  component  was  re¬ 


leased  in  October. 

Led  by  Robert  Irwin, 
director  of  governance 
and  compliance,  the 
program  reduces  costs 
by  automating  con¬ 
trols  that  were  previ¬ 
ously  manual,  and  it 
simplifies  time  spent  by 
centralizing  evidence¬ 
gathering  workflows  and 
notifications.  Through 
automation,  much  of  the 
required  data  is  stored 
so  that  when  it  comes 
time  to  audit,  90  percent 
of  the  information  is  al¬ 
ready  gathered,  and  the 
rest  can  be  made  avail¬ 
able  with  little  burden 
to  the  administrators. 
Comcast  estimates  that, 
all  told,  the  program 
will  save  1,000  to  1,500 
man-hours  per  year. 
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extended  to  include  non-security  events, 
including  data  center  and  end-to-end  IT 
service  monitoring,  and  linking  to  the  con¬ 
figuration  management  database.  With 
increased  insight  into  activities  across  the  IT 
infrastructure,  CitylJ  has  improved  IT  secu¬ 
rity  and  service  quality,  even  with  a  sharp 
increase  in  demand  for  services. 

Cognizant 
Technology 
Solutions 

PROJECT:  New  Horizons 
in  Identity  and  Access 
Management  (1AM) 

LEADERS:  Sukumar  Rajagopal,  CIO;  Joseph 
Korah,  senior  director  of  application  ser¬ 
vices;  Kadhar  Mohammed,  associate  direc¬ 
tor  of  application  services;  Venkata  Subra- 
manian,  senior  director  of  corporate  security 
DESCRIPTION:  The  1AM  solution  takes  a 
user-centric  (as  opposed  to  device-centric) 
view,  and  focuses  on  use-policy  enforce¬ 
ment,  data  encryption,  federated  identity 
management,  multi-factor  authentication, 
secure  application  access,  privilege  identity 
management,  classified  data  masking,  vul¬ 
nerability  protection,  data  loss  prevention, 
and  threat  and  malware  protection. 
BUSINESS  VALUE:  The  project  has  reduced 
the  time  required  to  create  user  accounts 
and  provide  system  access  by  over  75  per¬ 
cent.  With  its  hub-and-spoke  approach, 
user  attribute  updates  are  pushed  to 
downstream  systems,  reducing  adminis¬ 
trative  efforts  by  45  percent.  After  mergers 
and  acquisitions,  new  employees  can  now 
access  systems  in  a  few  hours  instead  of  a 
few  days.  A  single  sign-on  framework  and 
stronger  authentication  process  increased 
employee  satisfaction.  By  delivering  closed- 
loop  identity  and  access-management  audit 
reports,  the  solution  has  also  strengthened 
compliance  audit  and  reporting. 

Credit  Suisse 

PROJECT:  Global  Identity 
and  Access  Management 

LEADERS:  Thorsten 
Walther,  business 
program  manager 


O  DESCRIPTION:  The  project  helps  Credit 
Suisse  transition  from  an  IT-driven  to  a 
0  business-centric  approach  to  identity  and 
<>  access  management  (1AM).  The  program 
<>  includes  rationalization  of  existing  1AM 
A  solutions,  development  of  a  global  gover¬ 
ns  nance  framework,  harmonizing  of  1AM  pro- 
A  cesses,  and  decreased  complexity  of  access 
management. 

A  BUSINESS  VALUE:  With  the  1AM  program, 
the  business  defines  the  principles  and 
A  guidelines  of  how  to  manage  identities  and 
access  to  IT  assets  and  data.  A  centrally 
managed  access  management  platform 
supports  integrated  1AM  business  processes 
a  and  fully  automated  straight-through 
a  processing  from  the  central  entitlements 
A  store  to  the  technical  end  points.  A  strategic 
user  interface  enables  users  to  execute  all 
access-management-related  work  in  a  self- 

x 

service  fashion,  improving  productivity  and 
transparency. 

Y 

HH 

SecureWorks 

| J  -  :  ¥  project:  Foresee 

LEADERS:  Jon  Ramsey, 

CTO  and  Dell  Fellow;  Kevin 

Schmidt,  senior  manager  of  software  engi- 

X 

neering;  Rafael  Guerrero-Platero,  principal 

X 

engineer  of  data  science;  Marco  Arguedas, 
senior  engineer  of  data  science;  Tomasz 

Y 

Raczek,  SOC  manager 
DESCRIPTION:  Foresee  detects  unknown 
x  advanced  persistent  threats  more  quickly 
and  with  greater  predictability.  The  Fore¬ 
see  team  wanted  to  develop  a  system 
that  could  keep  pace  with  increased  threat 
X  volume,  model  the  intuition  of  a  security 
operations  analyst  into  a  machine-learning 
system,  and  produce  results  equal  to  or  bet- 

Y  ter  than  what  could  be  achieved  by  security 
experts. 

BUSINESS  VALUE:  The  system  cost-effec- 
X  tively  scales  security  operations  to  meet 
,  the  rapidly  growing  number  and  variety  of 
O  threats.  It  also  provides  predictive  capabili- 
v  ties  to  anticipate  attacks  before  they  occur, 
v  Over  the  long  term,  Foresee  will  enhance 
0  the  company’s  existing  managed  security, 

O  consulting  and  threat  intelligence  services. 


<>  The  system  will  also  get  smarter  over  time, 

O  and  the  results  and  knowledge  gained  can 
be  used  across  the  customer  base  to  provide 
A  better,  faster  and  more  predictive  threat¬ 
en  response  capabilities. 

iMg,  Department 
of  Homeland 

nnl  securit» 

I^J||  (Office  of  Cyber- 
Communications) 

a  PROJECT:  Einstein  3  Accelerated  (E3A) 
LEADERS:  Roberta  Stempfley,  acting 
assistant  secretary;  Brendan  Goode,  direc¬ 
tor  of  network  security  deployment;  Robert 
Hopkins,  director  of  external  affairs;  Emily 
Andrew,  senior  privacy  officer. 

A  DESCRIPTION:  E3A  significantly  enhances 
DHS’s  existing  cybersecurity  capabilities  by 
providing  an  active  defense  capability  that 
evolves  with  changing  threats.  This  is  done 
by  delivering  intrusion  prevention  as  a  man¬ 
aged  service,  which  provides  DHS  with  the 

X 

innovation  and  agility  of  the  commercial 
sector  while  enhancing  it  with  government- 
provided  information. 

BUSINESS  VALUE:  E3A  represents  the  tran¬ 
sition  from  reactive,  detection-oriented 
v 

methods  to  a  proactive,  adaptable  intrusion 
prevention  service  that  prevents,  in  real  time, 
malicious  traffic  from  harming  government 
networks.  It  protects  against  the  most  prev¬ 
alent  cybersecurity  threats  while  allowing 
for  a  rapid  evolution  of  protection  capabili- 
x  ties  against  future  threats.  The  department 
will  be  able  to  protect  up  to  20  percent  of 
federal  traffic  by  the  end  of  fiscal  2014,  and 
X  all  traffic  across  all  federal  departments  and 
agencies  by  the  end  of  fiscal  2015. 

Fletcher  Allen 
Health  Care 

PROJECT:  Data  Loss  Pre¬ 
vention  (DLP) 

LEADERS:  Heather  Rosz- 
<>  kowski,  CISO;  Charlie  Miceli,  vice  president 
v  of  supply  chain  and  information  systems; 
v  Britt  Cummings,  manager  of  client  services 
0  for  information  systems 
O  DESCRIPTION:  The  DLP  solution  was  driven 
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by  the  need  to  protect  health  information, 
personally  identifiable  information  and 
other  sensitive  data  from  inadvertently  and 
inappropriately  leaving  the  corporate  net¬ 
work.  Additionally,  DLP  ensures  compliance 
with  the  HIPAA  Security  Rule  and  PCI.  Under 
the  HITECH  Act,  implementing  a  DLP  solu¬ 
tion  meets  meaningful  use  criteria,  which 
assists  Fletcher  Allen  in  receiving  maximum 
reimbursement  by  providing  controls  to  pro¬ 
tect  electronic  health  records. 

BUSINESS  VALUE:  The  program  gives  Fletcher 
Allen  confidence  and  peace  of  mind  that 
it  is  taking  the  right  actions  in  protecting 
patients’  sensitive  information.  The  tool 
has  proved  its  worth  by  preventing  sensitive 
information  from  inadvertent  exposure.  If  a 
breach  had  occurred,  the  organization  could 
have  faced  a  large  fine  (up  to  $1.5  million) 
under  HIPAA. 


Florida  Blue 

Jr  PROJECT:  “I  said  ’Know’" 

Security  Awareness 

LEADERS:  Chris  Gay,  direc¬ 
tor  of  information  security  technology  and 
operations;  Mark  Felber,  manager  of  infor¬ 
mation  security  program;  Doug  Robison, 
program  manager  of  security  education 
program 

DESCRIPTION:  The  campaign  has  two 
strategic  objectives:  engage  and  educate 
employees  on  protecting  their  own  personal 
information,  and  increase  awareness  of  the 
appropriate  security  behaviors  that  protect 
the  confidentiality,  integrity  and  availabil¬ 
ity  of  Florida  Blue’s  information.  Vital  to 
the  program  are  the  security  ambassadors, 
who  provide  direct  outreach  in  the  form  of 
face-to-face  sessions  on  securing  personal 
information.  The  program’s  commonsense 
approach  to  educating  employees  has 
helped  develop  relationships  among  infor¬ 
mation  security's  business  and  IT  associates, 
leading  to  a  learning  environment  that  fos¬ 
ters  more  secure  workplace  behaviors. 
BUSINESS  VALUE:  The  program  has  helped 
develop  trust  among  business  and  IT 
partners  and  associates.  Of  1,200  people 
attending  the  programs,  97  percent  say  they 
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have  learned  something  new,  while  99  per¬ 
cent  have  applied  one  or  more  security  tips 
to  their  information  security  behavior. 

HCA 

PROJECT:  Dramatically 
Decrease  Password  Resets 
LEADERS:  Terri  Schmidt, 
assistant  vice  president  of 
information  protection;  Tom  Morris,  assis¬ 
tant  vice  president  of  customer  support 
DESCRIPTION:  Massive  numbers  of  pass¬ 
word  reset  calls  to  customer  support  were 
consuming  valuable  support  resources  and 
causing  user  dissatisfaction.  The  program 
instituted  several  tactics  to  decrease  the 
number  of  calls,  including  password  reset 
kiosks,  an  interactive  voice-response  system 
that  encourages  self-resets,  reporting  fre¬ 
quent  callers  to  leadership,  setting  leader¬ 
ship  goals  to  reduce  reset  calls,  and  deploy¬ 
ment  of  single  sign-on. 

BUSINESS  VALUE:  By  implementing  several 
key  tactics,  the  help  desk  got  300,000 
fewer  password  reset  calls  in  a  single  year. 
This  has  resulted  in  an  estimated  $3  mil¬ 
lion  dollar  labor  savings  every  year.  It  has 
also  allowed  existing  support  resources  to 
focus  on  higher-impact  activities  and  has 
decreased  the  time  users  spend  waiting  for 
their  accounts  to  be  unlocked. 

B  PROJECT:  Hotel  in  the 

LEADERS:  Marshall  Lan- 

of  technology  operations;  Eric  Templeton, 
program  manager;  Mike  Patrick,  director  of 
client  engineering  and  operations 
DESCRIPTION:  The  project  focused  on  eas¬ 
ing  the  work  of  converting  hotels  to  a  Hyatt 
brand,  improving  and  enhancing  hotel 
security,  and  allowing  more  choices  in  the 
hardware  needed  for  hotel  operations.  The 
program  migrated  IT  services  to  the  Web, 
with  a  limited  on-premise  service  infrastruc¬ 
ture.  Reducing  the  service  infrastructure 
simplifies  IT  systems  and  allows  associates 
to  experience  Hyatt  IT  services  in  a  plug- 
and-play  fashion. 


BUSINESS  VALUE:  The  program  has  improved 
the  speed  of  hotel  takeovers  and  transitions, 
reduced  infrastructure  costs,  improved 
hotel  security,  and  created  more  choices 
for  operations  while  improving  the  user 
experience. 

Intel 

PROJECT:  Small  Form 
Factor  Compliance  and 
Enforcement 
LEADERS:  Malcolm  Har¬ 
kins,  chief  security  privacy  officer;  Mary  Ros- 
sell,  director  of  information  security;  Mike 
Wacker,  manager  of  security  operations  for 
Center  Compliance  Tools 
DESCRIPTION:  With  the  influx  of  bring-your- 
own-device  programs  and  user  demand  for 
access  to  internal  capabilities,  Intel  needed 
new  compliance  and  enforcement  capabili¬ 
ties  to  ensure  these  devices  complied  with 
its  security  specifications. 

BUSINESS  VALUE:  With  a  mechanism  to 
manage  its  minimum  security  specification 
and  conduct  compliance  and  enforcement 
activities  on  all  devices  that  don’t  meet  that 
specification,  Intel  can  give  now  employees 
email  access  and  collaboration  tools.  Com¬ 
pliance  and  enforcement  activities  are  con¬ 
ducted  against  devices  with  unauthorized 
access  to  email,  jail-broken  access  to  email, 
minimum  operating  system  levels  and  cam¬ 
era  usage  in  restricted  areas. 

9  Lockheed 

PROJECT:  Lockheed 

LM  Wisdom  ITI 

LEADERS:  Robert  Trono,  vice  president  and 
CSO;  Douglas  Thomas,  director  of  coun¬ 
terintelligence  operations  and  corporate 
investigations 

DESCRIPTION:  The  program  proactively 
identifies  risks  associated  with  the  theft  or 
misuse  of  intellectual  property  and  trade 
secrets.  It  looks  for  individuals  who  might  be 
more  likely  to  misuse  access  to  information, 
as  well  as  those  at  a  higher  risk  for  being 
targeted  by  foreign  intelligence  agents  or 
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Deloitte 


WHEN  DELOITTE 
launched  its  security 
awareness  campaign,  it 
sought  an  approach  that 
would  encourage  em¬ 
ployees  to  minimize  risky 


behaviors  while  also  enter¬ 
taining  them.  And  so  began 
the  Don’t  Be  That  Guy 
campaign,  which  includes  a 
series  of  short  videos  on  se¬ 
curity  do’s  and  don’ts  that 


senior  manager  of  infor¬ 
mation  security,  risk  and 
governance;  Bill  Berkeley, 
director  of  information 
technology  services;  and 
Larry  Quinlan,  global  CIO  of 
Deloitte  and  CIO  of  Deloitte 
LLP  (U.S.).  The  organiza¬ 
tion  tracks  video  viewer- 
ship  trends  and  is  working 
to  correlate  incident  fre¬ 
quency  with  the  number 
of  video  views.  It  is  clear 
that  employees  have  taken 
notice,  because  IT  is  find¬ 
ing  itself  fielding  security- 
related  questions  more 
frequently,  such  as  how  to 
handle  suspicious  emails 
or  lost  mobile  devices.  The 
overall  security  awareness 
level  at  Deloitte  has  also 
increased,  with  groups 
requesting  awareness  ma¬ 
terials  for  targeted  training 
and  directors  using  the  vid¬ 
eos  during  client  meetings 
and  presentations.  Clients 
have  also  inquired  about 
getting  help  with  devel¬ 
oping  similar  awareness 
programs. 


Julie  Myers,  senior  manager 
of  information  security, 
risk  and  governance 


are  informative  and  to-the- 
point  but  also  funny.  The 
videos  feature  a  main  char¬ 
acter  who  makes  all  the 
wrong  moves  in  situations 
that  could  occur  during  a 
typical  workday.  The  com¬ 
pany  chose  to  feature  what 
it  considered  to  be  the 
most  common  types  of  inci¬ 
dents  that  carried  the  high¬ 
est  risk,  such  as  phishing 
attempts,  handling  sensi¬ 
tive  information,  ensuring 
physical  security  within 
the  office,  responding  to 
an  emergency,  posting  on 
social  media  and  using 
removable  devices  such  as 
flash  drives.  While  Deloitte 
worked  with  an  outside 
agency  to  produce  the  vid¬ 
eos,  employees  appear  as 
extras,  which  has  helped 
to  generate  a  positive  buzz 
around  the  company. 

The  project  was  led 
by  managers  Julie  Myers, 


competitors.  The  program's  digital  predic¬ 
tive  analytics  capability  provides  analysts 
with  an  insider  threat  risk  profile  across 
the  organization.  Through  automated  link 
analysis,  it  evaluates  internal  customer  data, 
rapidly  reducing  big  data  into  actionable 
intelligence.  Data  sources  are  integrated 
with  modeling  behavioral  indicators  on  indi¬ 
viduals,  not  just  their  cyber  fingerprints. 
BUSINESS  VALUE:  The  insider  threat  costs 
U.S.  corporations  millions  of  dollars  each 
year,  and  the  number  of  reported  incidents 
is  escalating.  This  solution  was  developed 


to  mitigate  these  threats  and  safeguard 
corporations'  personnel,  information  and 
reputation. 

PROJECT:  Boston  Logan 

LEADERS:  Michele  Freadman,  deputy 
director  of  aviation  security  operations 
DESCRIPTION:  The  SAFE  Program  was 
launched  at  Boston  Logan  International 


Airport  to  instill  in  workers  a  sense  of  indi¬ 
vidual  ownership  of  security  by  recogniz¬ 
ing  front-line  employees  who  protect  the 
airport  against  the  dynamic  and  evolving 
security  threat  to  aviation.  The  unique  focus 
of  this  program  is  on  front-line  employ¬ 
ees  who  demonstrate  exemplary  security 
awareness  in  their  daily  jobs.  By  engaging 
the  workforce  to  defend  against  security 
threats,  SAFE  mobilizes  the  airport  commu¬ 
nity  and  facilitates  security.  The  goals  of  the 
SAFE  program  include  reducing  compla¬ 
cency,  improving  compliance  with  security 
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regulations,  and  increasing  reports  of  suspi¬ 
cious  activities  and  security  risks.  Employ¬ 
ees  who  prevent,  detect  or  report  a  security 
incident  are  nominated  for  a  SAFE  Award. 
Award  recipients  are  honored  at  a  formal 
recognition  ceremony  officiated  by  Mass- 
port  executives  and  a  special  high-profile 
guest  of  honor,  a  role  that  has  previously 
been  filled  by  the  governor  of  Mass,  and  the 
owner  of  the  New  England  Patriots.  These 
award  winners  and  their  stories  are  also 
featured  in  campaign  posters  on  display  at 
the  airport. 

BUSINESS  VALUE:  The  SAFE  Program  is 
an  integral  part  of  the  airport’s  security 
program  and  engages  the  entire  airport 
community  as  a  protective  layer  to  detect 
threats  and  mitigate  risk.  The  SAFE  Program 
aligns  with  the  airport’s  business  objectives 
of  safety  and  security,  sustainability,  and 
business  continuity.  SAFE  is  embedded  in 
the  culture  of  Logan  Airport  and  supports 
Massport’s  mission  and  commitment  to  the 
safety  and  security  of  passengers,  visitors, 
employees  and  facilities.  This  program  is 
a  force  multiplier  that  heightens  security 
awareness,  empowers  the  airport  commu¬ 
nity  to  “See  something,  say  something,"  and 
augments  the  public  safety  team.  The  SAFE 
program  has  received  over  250  nominations 
and  recognized  more  than  150  employees 
with  awards  and  honorable  mentions.  A 
visible  component  of  the  Massport  culture, 
SAFE  is  featured  in  the  airport’s  mandatory 
security  training  completed  by  over  14,000 
badge  holders,  and  a  wall  of  SAFE  award 
winners  is  prominently  displayed  in  the 
Security  Badge  Office. 

McAfee 

PROJECT:  McAfee  Security 
Awareness,  Training  and 
Risk  Management  Program 
(Security  Matters) 
LEADERS:  Shelly  Tzoumas,  program  man¬ 
ager  for  global  security  services:  Xochitl 
Monteon,  senior  director  for  global  security 
services;  Brent  Conran,  vice  president  and 
CSO;  Patty  Hatter,  executive  vice  president 
and  CIO 

DESCRIPTION:  When  it  comes  to  global  regu¬ 


latory  compliance,  emerging  threats  and  the 
security  requirements  of  a  diverse  workforce, 
technology  is  vital  but  not  enough.  The 
Security  Matters  multi-modal,  multi-cam¬ 
paign  program  ensures  that  employees 
understand  how  to  work  and  live  in  a  safer 
environment. 

BUSINESS  VALUE:  The  program’s  newsletter, 
which  offers  actionable  instruction  for  safe 
behavior,  experiences  a  consistent  email- 
open  rate  of  77  percent.  Its  multi-modal 
messaging  campaigns  resulted  in  up  to  60 
percent  improvement  in  behavior,  while 
its  single-mode  campaign  resulted  in  a  20 
percent  improvement  in  behavior.  The  pro¬ 
gram’s  five  training  modules  spurred  a  30 
percent  increase  in  participation  in  internal 
compliance  training  from  the  previous  year. 
Cultural  awareness  has  improved  dramati¬ 
cally,  with  nearly  40  percent  of  the  company 
participating  in  the  program's  awareness 
contest. 

MetLife 

PROJECT:  Integrating 
business  risk  into  IT  Risk 
Assessment  Processes 
LEADERS:  Audrey  Mydosh, 
director  of  IT  risk  and  security;  Michael  Har¬ 
rison,  director  of  IT  risk  and  security 
DESCRIPTION:  Prior  to  this  project,  IT  risk 
was  based  solely  on  classic  considerations 
such  as  confidentiality,  integrity  and  avail¬ 
ability.  This  project  integrated  consideration 
of  business  severity  by  assessing  the  follow¬ 
ing  categories:  financial  impact,  reputa¬ 
tional  impact,  legal  regulatory  impact  and 
customer  operational  impact. 

BUSINESS  VALUE:  MetLife  uses  a  combina¬ 
tion  of  business  and  IT  risk  in  determining 
the  inherent  risk  of  internal  applications 
and  external  third  parties.  This  allows  the 
business  owners  to  make  more  informed 
decisions  prior  to  engaging  a  vendor  or 
going  live  with  a  new  application,  as  well  as 
to  prioritize  remediation  efforts. 


Ohio  Depart¬ 
ment  of  Devel¬ 
opmental 
Disabilities 

(DODD) 

6  PROJECT:  Secure  Entitlements  Management 
System  (SEMS) 

LEADERS:  Bryant  Young,  CIO;  Venu  Edupu- 
ganti,  chief  architect 
DESCRIPTION:  The  Ohio  DODD  aids  those 
who  serve  100,000  developmentally  dis¬ 
abled  individuals  in  Ohio.  The  SEMS  project 
used  a  three-pronged  approach  to  leverage 
federated  token  technology,  implement 
improved  perimeter  security  and  deploy  an 
identity-management  system  that  enables 
self  service. 

BUSINESS  VALUE:  It  used  to  take  eight  to  12 
days  to  enroll  a  new  recipient  of  develop¬ 
mental  disability  entitlements;  it  now  takes 
less  than  one  hour.  Document  management 
and  number  identity  stores  were  simpli¬ 
fied  and  reduced.  The  system  is  now  highly 
portable  and  expandable.  With  self-service 
enabled,  the  DODD  expects  a  dramatic  90 
percent  reduction  in  support  calls.  Total 
project  savings  are  approximately  $2  million 
to  date. 

Quintiles 

PROJECT:  An  innovative, 
trusted  cloud  services 
model 

LEADERS:  Jack  Baker. 

executive  director  of  global  IT  security;  Jerry 
Fink,  director  of  IT  security 
DESCRIPTION:  As  Quintiles  makes  increas¬ 
ing  use  of  cloud-service  providers  to  host 
applications  and  infrastructure,  it  has  found 
a  need  to  provide  security  assurance  on  par 
with  systems  hosted  on  its  internal  private 
network.  As  a  result,  Baker  and  his  team 
developed  Quintiles'  Trusted  Cloud  Services 
Model  to  build  on  Quintiles’  global  security 
s>  framework  and  application  security  assess¬ 
ment  program-and  to  extend  security 
controls  to  cloud  services  providers  within 
an  integrated  global  security  design.  This 
model  gives  Quintiles  a  means  of  leveraging 
providers’  security  services  and  augmenting 
those  services  by  extending  internal  systems 
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and  processes. 

BUSINESS  VALUE:  Quintiles’  business  units 
are  able  to  engage  cloud  services  provid¬ 
ers  for  speed,  efficiency,  scalability  and  cost 
savings  with  confidence  that  internal  secu¬ 
rity  standards  are  not  compromised. 


Resource  Pro 

PR0JECT:  Employee 
contest  increases 

|fjHr  M  engagement,  steers  orga- 
nizational  change  and 
strengthens  security 

LEADERS:  Christopher  Watkins,  director 
of  IT  infrastructure  and  risk  management; 
Arthur  Wang,  supervisor  of  information 
security  and  help  desk 
DESCRIPTION:  With  headquarters  in  New 
York  City  and  processing  centers  in  Qingdao 
and  Jinan,  China,  Resource  Pro  is  a  leader 
in  processing  solutions  for  the  insurance 
industry.  An  internal  study  determined  that 
focusing  on  employee  involvement  and 
engagement  with  security  policies  would 
achieve  higher  ROI  than  additional  invest¬ 
ment  in  security  technology.  A  year-long 
contest  called  the  Information  Security 
Award  Program  created  unprecedented 
engagement  among  the  1,200-plus  employ¬ 
ees,  a  heightened  awareness  of  security 
policies  and  a  culture  of  community  justice, 
as  team  members  watched  out  for  each 
other  and  were  empowered  to  speak  out 
when  noticing  any  breach  of  policy.  Contest 
entries  included  cartoons,  poetry  and  videos. 
BUSINESS  VALUE:  Security  incidents  were 
reduced  down  to  three  in  2013.  Although 
these  incidents  were  compliance  issues  and 
did  not  result  in  a  data  breach,  had  they 
not  been  detected  earlier,  they  could  have 
resulted  in  significant  penalties,  loss  of  rev¬ 
enue  and  brand  reputation. 


Roche 
Diagnostics 

PROJECT:  Security  aware¬ 
ness  campaign:  SEC_RITY, 
it’s  not  complete  without  U! 

LEADERS:  Joachim  Bohnert,  head  of  global 
information  security  for  Roche  Diagnostics 
IT;  Werner  Boeing,  head  of  Diagnostics  IT; 


Thomas  M.  Kaiser,  head  of  IT  strategy,  archi¬ 
tecture  and  governance 
DESCRIPTION:  Rolled  out  in  2013  to  20,000 
users  at  worldwide  affiliates,  Roche 
Diagnostics'  security  awareness  program 
mobilizes  employees  to  protect  informa¬ 
tion  assets  as  part  of  their  day-to-day  job 
responsibilities.  It  focuses  on  changing 
employee  behavior  by  applying  behavio- 
rial  science,  education  and  entertainment 
concepts,  sharing  information  on  potential 
threats,  and  clearly  explaining  what  secure 
behavior  looks  like. 

BUSINESS  VALUE:  Measures  of  success 
include  the  number  of  attendees  at  pro¬ 
gram-sponsored  live-hacking  infotainment- 
events;  the  number  of  materials  picked  up 
at  awareness  days  (information  hand¬ 
books,  security  game  cards,  webcam  cov¬ 
ers,  antivirus  CDs);  the  number  of  clicks  on 
the  30  intranet  videos  that  provide  advice 
for  improving  security  behavior  in  real- 
life  scenarios.  The  program  substantially 
contributed  to  the  successful  ISO  27001 
certification  of  a  German  Roche  Diagnostics 
business  unit. 


Royal  Bank  of 
Scotland 

PROJECT:  Data  loss  preven¬ 
tion  (DLP);  global  Web  and 
email  monitoring  program 
LEADERS:  Carla  McDonal,  head  of  central 
monitoring  team;  Emma  Smith,  CISO 
DESCRIPTION:  RBS  set  out  to  secure  the 
company’s  most  valuable  information-cus¬ 
tomer  data-by  deploying  Websense  for 
data  security.  The  data  loss  prevention  pro¬ 
gram  was  implemented  across  53  countries 
and  130,000  employees. 

BUSINESS  VALUE:  The  number  of  data 
breaches  has  been  reduced,  and  the  system 
monitors  7  million  emails  and  36  million 
Web  uploads  per  month,  has  checked  161 
million  emails  to  date,  and  has  closed 
12,000  alerts  to  date.  The  DLP  alerts  have 
allowed  RBS  to  act  quickly  on  any  potential 
data  loss,  minimizing  the  impact  and  dam¬ 
age  to  the  group.  Employee  awareness  and 
education  have  significantly  increased.  The 


DLP  program  supports  RBS  business  goals 
while  also  instilling  a  customer-centric  risk- 
reduction  mind-set  and  practices,  which 
have  had  a  profound  positive  impact  on  the 
wider  business. 


SAG  AG 

PROJECT:  Advanced  Busi¬ 
ness  Application  Program¬ 
ming  (ABAP)  source  code 
remediation 

LEADERS:  Ralph  Salomon,  chief  IT  security 
officer 


DESCRIPTION:  Protecting  business-critical 
processes  while  adhering  to  compliance 
guidelines  and  data-protection  rules  within 
custom-developed  applications  are  the 
major  challenges  for  business  systems.  SAP 
AG  initiated  the  ABAP  Source  Code  Proj¬ 
ect  to  identify  critical  security  gaps  within 
ABAP-based  custom  development  by  using 
a  code-scanning  tool  and  to  resolve  the 
detected  issues  in  a  way  that  protects  SAP’s 
business  systems. 

BUSINESS  VALUE:  Due  to  the  ABAP  source 
code  remediation  project,  in  2012  SAP 
closed  more  than  85  percent  of  all  poten¬ 
tial  security  gaps  it  found  in  35  business 
system  landscapes.  By  using  the  agreed- 
upon  guidelines  and  the  centralized  factory 
approach,  the  company  drastically  acceler¬ 
ated  the  speed  of  code  remediation.  With 
the  central  approach,  the  remaining  number 
of  potential  security  issues  was  further 
reduced  in  2013.  The  project  also  tracked 
the  number  of  new  security  breaches 
occurring  in  current  development  projects. 
Toward  that  end,  SAP  introduced  a  Secure 
Development  Framework  and  began  secure 
development  training.  With  these  measures, 
the  number  of  new  findings  has  dropped  to 
an  absolute  minimum  of  exceptions. 


Schlumberger 

PROJECT:  Schlumberger 
Schlumberger  data-centric  security 
initiative 

LEADER:  Mario  Chiock.CSO 
DESCRIPTION:  Schlumberger’s  data-cen¬ 
tric  information-protection  initiative  was 
designed  to  ensure  that  as  information  is 
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created,  it  is  classified  according  to  corpo¬ 
rate  policies  and  protected  via  encryption 
so  only  users  with  appropriate  credentials 
will  ever  be  able  to  access  the  information 
regardless  of  where  it  resides  (inside  the 
network  or  outside).  In  addition,  classified 
information  is  given  valid  legal  protections 
such  as  visible  watermarks  and  digital  fin¬ 
gerprints,  allowing  the  Schlumberger  secu¬ 
rity  team  to  track  information  as  it  moves 
from  user  to  user.  Key  to  this  initiative  was 
enabling  the  seamless  flow  of  information 
so  corporate  policies  can  automatically  be 
applied  without  users  having  to  make  deci-  X 
sions  or  do  extra  work. 

BUSINESS  VALUE:  In  Schlumberger’s  view, 
the  primary  threat  to  information  leak- 
loss  is  not  an  outsider  bursting  through  a 
firewall  to  steal  data,  it's  the  thousands 
of  trusted  insiders  who  may  mistakenly  or 
maliciously  permit  sensitive  information  to 
fall  into  hands  outside  of  the  organization, 
where  harm  can  be  done.  The  losses  from 
this  type  of  disclosure  are  astounding  and 
widespread.  This  represented  unaccept¬ 
able  risk  to  Schlumberger,  and  no  amount 
of  network  security  or  hardening  the  perim¬ 
eter  will  address  that,  according  to  Chiock. 
However,  by  ensuring  that  each  informa¬ 
tion  object  is  classified  and  can  only  be  used 
by  parties  with  appropriate  clearance,  the 
Schlumberger  security  team  has  ensured 
the  company  will  remain  stalwart  against 
threats  unwittingly  or  purposely  initiated  by 
insiders,  potentially  saving  their  company 
millions  of  dollars. 

TruStone 
Financial 
Federal  Credit 
Union 

PROJECT:  Redundant  data 
centers  with  a  twist 

LEADERS:  Stephen  Bohlig,  chairman  of  the 
board;  Bob  Thompson,  SVP  of  IT;  John 
Verplank,  VP  of  IT 

DESCRIPTION:  TruStone  Financial  re-engi¬ 
neered  its  application-based  disaster  recov¬ 
ery  into  one  simple,  efficient  solution  for  all 
applications  called  Enterprise  Continuity 
Architecture.  This  architecture  applies  enter-  O 


prise  SAN  and  server  technology  to  simplify 
TruStone’s  disaster  recovery  architecture.  It 
features  identical  configurations  at  primary 
and  secondary  data  centers.  The  servers 
boot  from  the  SAN.  Data  changes  replicate 
to  the  remote  site  in  real  time. 

BUSINESS  VALUE:  TruStone  has  increased 
its  efficiency  significantly.  Fewer  full-time 
employees  are  required  in  the  data  center. 
Few  manual  procedures  are  needed.  Main¬ 
tenance  tasks  are  greatly  reduced.  Lower 
bandwidth  is  needed  within  the  data  cen¬ 
ters.  TruStone  no  longer  has  to  pay  license 
costs  for  remote  application  software.  Tru¬ 
Stone’s  Business  Continuance  Security  sys¬ 
tem  is  able  to  recover  the  data  center  at  any 
time,  in  minutes,  with  virtually  no  lost  data, 
offering  real  value  to  the  enterprise. 

UBS 

f  jR  PROJECT:  Software  security 

;  LEADERS:  Ajoy  Kumar, 

executive  director  and 
head  of  application  security 
DESCRIPTION:  The  UBS  software  security 
program  addresses,  in  a  holistic  manner, 
information  security  for  internally  devel¬ 
oped  and  externally  developed  code,  as 
well  as  embedding  security  into  the  pro¬ 
curement  process  for  third-party  software 
products.  The  program  comprises  four  tiers: 
governance,  policy  and  process,  automation 
and  education,  and  metrics.  The  goal  is  to 
improve  the  security  of  all  software  across 
the  company,  starting  with  high-risk  appli¬ 
cations  and  expanding  into  all  applications. 
BUSINESS  VALUE:  First  and  foremost,  the 
project  afforded  UBS  full  visibility  into  the 
risk  profile  of  the  applications.  There  is  also 
real-time  executive  reporting  on  the  security 
posture  of  high-risk  applications  across  the 
enterprise.  The  software  security  program 
improved  the  working  relationship  between 
the  development  and  security  teams.  Soft¬ 
ware  security  is  assured  through  touch 
points  with  minimal  impact  on  other  busi¬ 
ness  goals.  Peer  groups  now  facilitate  cross¬ 
business-unit  knowledge  transfer. 


UN  Develop* 
ment  Program 

PROJECT:  ISO  27001  and 
ISO  9001  certification  by 
the  information  security 
unit  of  the  United  Nations  Development 
Program  (UNDP) 

LEADER:  Paul  Raines,  CISO 
DESCRIPTION:  Before  undertaking  the 
project,  the  information  security  unit  of 
UNDP  was  considered  largely  ineffective. 
There  were  no  information  security  policies 
for  the  organization;  employees  did  not 
know  what  security  practices  they  were  to 
follow;  there  was  no  means  for  tracking 
the  effectiveness  of  security;  security 
incidents  were  often  not  reported  or  even 
responded  to;  few  country  offices  had  disas¬ 
ter  recovery  plans  to  ensure  continuity  of 
operations.  The  vision  of  the  information 
security  unit  was  to  be  the  premier  infor¬ 
mation  and  communications  technology 
security  organization  among  nonprofit  inter- 

_ 

national  organizations.  The  achievement 
of  this  vision  would  provide  assurance  to 
executive  management,  donors  and  mem¬ 
ber  nations  that  UNDP  is  exercising  due 
diligence  in  protecting  its  sensitive  informa- 

X 

tion.  To  achieve  this  vision,  the  information 
security  unit  undertook  to  follow  industry 
best  practices  in  both  the  management 
of  security  (ISO  27001)  and  in  implement¬ 
ing  a  quality  management  system  (ISO 
9001).  Achieving  certification  under  these 
two  standards  helps  ensure  continuous 
>;  improvement,  client  satisfaction  and  unit 
effectiveness  in  executing  the  UNDP’s  mis¬ 
sion.  The  ultimate  goal  of  the  project  was  to 
provide  assurance  to  the  organization  that 
the  information  security  unit  was  exercising 
due  diligence  in  protecting  the  confiden¬ 
tiality,  integrity  and  availability  of  UNDP’s 
information. 

BUSINESS  VALUE:  The  information  security 
unit  tracks  these  six  metrics  to  demon¬ 
strate  its  success:  creating  business-driven 
information  security  policies  and  standards 
and  ensuring  compliance;  providing  infor¬ 
mation  security  awareness  and  training 
programs;  addressing  information  security 
O  audit  findings;  ensuring  country  offices  have 
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Henry  Ford  did  and  so  do  we. 

Our  global  research  team  covering  mobility  advises  organizations  around  the  world  on  how  they  can 
expand  their  reach  through  an  effective  mobile  strategy.  We  can  help  you  address  some  of  the  most 
pressing  business  and  technology  decisions  by  helping  you: 

•  Assess  your  current  mobile  competency  and  maturity 

•  Benchmark  your  mobile  strategy  against  your  peers’ 

•  Evaluate  mobile  technology 

•  Short-list  your  mobile  suppliers 

*IDC 

idc.com/itexecutive  Analyzethe  Future 


Four  Pillar  Research  from  Just  One  Company 


Mobility 
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disaster  recovery  plans  to  ensure  availability 
of  information;  the  results  of  a  risk  assess¬ 
ment  and  development  of  a  risk  mitigation 
plan  that  tracks  the  status  of  these  risks 
through  metrics;  and  finally,  how  promptly 
and  effectively  information  security  inci¬ 
dents  are  responded  to.  UNDP  also  tracks 
client  satisfaction  through  feedback  on 
each  security  service  rendered  as  well  as  on 
an  annual  survey  asking  about  their  overall 
satisfaction  with  security  in  the  organiza¬ 
tion,  an  approach  that  is  unique  within  the 

U.S.  Depart¬ 
ment  of  Agri¬ 
culture  (USDA) 

PROJECT:  USDA's  National 
Information  Technology 
Center’s  FedRAMP  Project 
LEADERS:  Greg  Schmitz,  director  of  the  secu¬ 
rity  division;  Rob  Arentsen,  project  officer 
and  lead  supervisor 

DESCRIPTION:  In  2012,  the  USDA’s  National 
Information  Technology  Center  (NITC) 
identified  a  strategic  goal  to  certify  its  cloud 
services  under  the  Federal  Risk  and  Authori¬ 
zation  Management  Program  (FedRAMP),  a 
rigorous  security-approval  program  estab¬ 
lished  by  the  Office  of  Management  and 
Budget  (OMB),  Federal  Chief  Information 
Officer,  oversight  from  the  General  Services 
Administration. 

BUSINESS  VALUE:  The  OMB  established  the 
FedRAMP  program  in  order  to  provide  a 
standardized  approach  for  security  assess¬ 
ment,  authorization  and  continuous  moni¬ 
toring  for  cloud-based  services.  FedRAMP 
encompasses  a  “do  once,  use  many  times” 
framework  intended  to  reduce  the  costs, 
time  and  staff  required  to  conduct  redun¬ 
dant  agency  security  assessments  and  pro¬ 
cess  monitoring  reports. 

U.S.  Postal 
Service 

(USPS) 

PROJECT:  Continuous  Net¬ 
work  Device  Monitoring 

LEADER:  Andrew  Kotynski,  manager  of 
information  systems  security 


DESCRIPTION:  The  purpose  of  the  project 
was  to  manage  the  security  posture  of  one 
of  the  world's  largest  networks,  and  part  of 
the  nation’s  critical  infrastructure,  the  USPS. 
There  are  well  over  35,000  retail  locations, 
4,000  business  partners  and  a  network  with 
over  500,000  endpoints.  The  Corporate 
Information  Security  Office  required  an 
effective  mechanism  to  maintain  the  ability 
to  evaluate  new  connectivity  requests  as 
well  as  validate  current  legacy  infrastruc¬ 
tures.  The  Network  Connectivity  Review 
Board  designed  and  built  a  software-based 
security  oversight  repository  that  continu¬ 
ously  analyzed  the  configurations  of  its  lay¬ 
ered  network  devices.  This  also  included  the 
results  of  the  vulnerability  scans,  identifying 
patching  priorities,  validating  the  enforce¬ 
ment  of  the  corporate  network  security  poli¬ 
cies,  and  ensuring  compliance  with  PCI  and 
other  regulations. 

BUSINESS  VALUE:  The  team’s  goal  was  to 
enable  staff  to  cut  their  review  and  approval 
times  for  new  network  connections  by  half, 
in  an  environment  with  over  1,000  network 
assets.  The  team  identified  over  80,000 
redundant  firewall  rules  in  its  first  assess¬ 
ment.  After  cataloging  and  making  use  of 
the  findings,  the  goal  of  cutting  review  times 
in  half  was  achieved,  reducing  them  from 
2.3  days  on  average  to  1.1  days. 

Williams 
^  Energy 
Williams .  PROJECT:  Replacement 
of  Williams’  nine-year- 
old  custom  identity-  and 
access-management  application 
LEADER:  Paul  Tucker,  information  security 
manager 

DESCRIPTION:  Williams  Energy,  a  large 
energy  infrastructure  provider  in  North 
America,  had  developed  a  custom  applica¬ 
tion  for  handling  access  requests  from  its 
6,500  users,  who  include  both  employees 
and  contractors.  The  system  was  cumber¬ 
some  to  use,  and  it  was  manually  oriented 
and  ran  on  old  hardware,  which  led  to 
frequent  outages.  Williams  recognized  it 
was  time  for  a  new  solution  to  streamline 
the  request  process.  However,  it  was  criti- 


How  the  winners 
were  chosen 

IN  TOTAL,  WE  RECEIVED 
more  than  100  nominations, 
which  were  then  whittled 
down  to  40  by  CSO  staff 
and  a  panel  of  six  outside 
judges:  Andy  Ellis,  Akamai; 
Curtis  Dalton,  Sapient;  Jason 
Taule,  Fei  Systems;  Lorna 
Koppel,  Iron  Mountain;  Mark 
Weatherford,  The  Chertoff 
Group;  Robert  Schadey,  1901 
Group.  Each  nomination  was 
reviewed  independently  by 
two  judges,  and  no  judges 
evaluated  applications  from 
their  own  companies.  From 
there,  the  editorial  staff 
made  the  final  honoree  se¬ 
lection  based  on  total  scores. 
Chart  information  compiled 
and  written  by  project  man¬ 
ager  Sara  Shay. 


cal  that  the  new  tool  deliver  the  same  level 
of  compliance  as  the  one  it  was  replacing. 
For  example,  it  needed  to  prevent  certain 
employees  from  requesting  access  to  sensi¬ 
tive  applications.  The  new  application  also 
had  to  ensure  regular  operations  were  not 
affected. 

BUSINESS  VALUE:  Williams  completed  a 
proof  of  concept  in  under  10  days,  proving 
a  packaged  identity-  and  access-manage¬ 
ment  application  could  meet  its  needs. 

The  application  delivered  the  necessary 
functionality  with  zero  business  disruption. 
Before  starting  the  project,  the  IT  staff  at 
Williams  used  to  handle  3,000  to  4,000 
provisioning  tasks  per  month;  the  new 
application  cut  that  workload  by  50  percent 
through  auto-provisioning.  End  users  report 
access  requests  are  also  faster  and  easier 
as  they  can  quickly  locate  the  components 
they  need  access  to.  The  system  retains  a 
full  history  of  requests  and  attestations  for 
easy  auditing,  saving  much  time.  ■ 
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CSO’s  e-Mail  Newsletters 


Keep  Up  To  Speed 

On  the  Security  Issues  Important  to  You 
Delivered  right  to  your  desktop 


VJ\  CSO  Update 

-  A  look  at  the  latest  security  news  and  analysis  on 

CSOonline.com,  delivered  three  times  a  week. 

CSO  Salted  Hash 

IT  security  news  and  analysis,  over  easy,  delivered  daily. 

CSO  News  Watch 

A  recap  of  the  week’s  top  news  stories. 

CSO  Career 

A  twice-monthly  newsletter  of  career  and  leadership- 
oriented  news,  articles  and  events  plus  job  postings. 

CSO  Tech  Watch 

Twice-monthly  update  on  technologies  for  protecting  networks,  facilities, 
employees,  intellectual  property  and  more. 

[Vj  CSO  Security  Leader 

-  Biweekly  leadership-related  articles  and  reports  from  CSO,  as  well  as  tips 

for  educating  employees  and  corporate  leadership. 

CSO  Continuity  &  Recovery 

A  twice-monthly  review  of  published  material  concerning 
business  continuity  and  disaster  recovery. 

[Vj  Security  Research  &  Metrics 

A  monthly  roundup  of  useful  security  research,  benchmarks  and  statistics. 

[Vj  CSO  Risk  Management 

A  monthly  roundup  of  strategies  and  tools  for  accurate  measurement  and 
prioritization  of  risks. 

Sign  up  now  for  CSO’s 
complimentary  e-mail  newsletters 
www.CSOonline.com/newsletters 
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Ten  Tweets  Josh  Corman 


@joshcorman 

Security  veteran  Josh  Corman  talks  about  superheroes, 
job  changes  and  swimming  with  sharks 


Joan  Goodchild  (@msjoanieg):  How  did  you  first  get  into 
security  as  a  career? 

Josh  Corman:  I  always  wanted  to  be  a  superhero;  just 
lacked  special  powers.  My  first  InfoSec  job  was  at  a  2001 
stealth  startup  that  dealt  with  espionage-based  malware- 
like  FireEye  but  agent-based.  Sold  into  ISS  (then  IBM). 


Has  your  career  allowed  you  to  be  superhuman  in  some  ways 7 
What  has  your  philosophy  been  over  the  years  in  this  career? 

I'm  just  a  guy  trying  to  have  an  impact.  My  belief  is  this  is 
90  percent  human  factors,  10  percent  tech.  Our  dependence 
on  technology  is  growing  faster  than  our  ability  to  defend 
it.  I  relentlessly  push  us  to  be  more  strategic. 


You  recently  joined  Sonatype  as  their  new  CTO.  How  is  that  going? 

Today  is  my  two  month  mark  as  CTO!  Great  fit.  I’ve  been 
passionate  about  rugged  software  application  security  and 
devops  for  years.  Now  it’s  my  job. 


What  prompted  the  move  to  Sonatype? 

My  mom  died  last  January.  That  crystallized  my  priorities 
and  made  me  hyper-conscious  of  time.  And  it  was  time  to 
be  Chief.  My  heart  shifted  to  security  that  affected  public 
safety,  human  life,  civil  liberties — t/7/n^s  that  mattered. 


Outside  of  your  work  at  Sonatype,  you’ve  got  a  lot  of  other 
security-related  projects,  too.  Let's  start  with  I  Am  the  Cavalry.... 

Part  of  my  rock  bottom  was  realizing  “The  cavalry  isn’t 
coming”;  it  falls  to  us.  So  @c7five  [Nicholas  Percoco] 
and  I  stuck  our  necks  out  at  #Defcon21  and  challenged 
everyone  to  lead  on  issues  affecting  body/mind/soul,  and 

@iamthecavalry  was  born. 


How  do  you  feel  your  work  on  @iamthecavalry  has  gone  so  far? 

Very  well— it  could’ve  been  DoA  but  it  resonated  instantly. 
A  hundred  people  joined  the  second  @DerbyCon  Congress. 
It  resonates  with  mainstream,  policy  makers,  peers, 
family....  It  is  needed.  It  is  time. 


You  gave  a  TEDx  talk  late  last  year  titled  “ Swimming  With 
Sharks."  Tell  us  more  about  its  focus. 

It  was  a  case  for  @iamthecavalry.  Why  it  matters.  It’s  very 
hard  to  speak  to  masses  without  jargon  or  three-letter 
acronyms,  and  having  to  explain  basic  knowledge.  Even 
harder  to  do  so  in  a  way  that  doesn’t  offend  the  security 
digerati.  Very  tough  to  balance. 


What  about  @RuggedSoftware?  How  does  that  fit  in? 

My  instinct  was  that  security  had  to  team  up  with 
development.  While  that’s  true,  I  realized  the  greater  truth: 
This  is  bigger  than  security  and  development;  public  safety 
needs  public  solutions. 


Sum  up  your  greatest  hope  for  where  you  see  this  mission  and 
collaboration  headed. 

Our  public  safety  focus  is  driving  to  substantive 
improvements  and  policy  change  for:  auto,  medical,  home 
Internet  of  Things,  and  public  infrastructure.  We  need  to 
make  sure  our  technology  dependence  is  worthy  of  our  trust. 


Complete  this  sentence:  If  I  weren't  in  security,  I  would  be _ . 

Tough  one!  If  the  world  was  safer  without  my  help...  One  or 
more  of:  independent  filmmaker,  chef,  teacher. 

See  more  at:  http://blogs.csoonline.com/node/3054 
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CSO  Forum  on  Linked  0. 


Share  best  practices  and  insight 
and  discuss  your  challenges  with 
your  security  executive  peers. 

The  CSO  Forum  is  where  members  of  the  security 
community  can  connect  and  collaborate  to  move  their 
security  and  technology  initiatives  and  careers  forward. 

If  you  are  a  senior  security  or  IT  professional,  we’d  love 
to  have  you  join— apply  for  membership  today. 

Visit  linkedin.com  click  Groups  and  search  for  “CSO  Forum” 

Facilitated  by  CSOOnline.com  and  CSO  Magazine 
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ADVERTORIAL 


Market  a 
Pulse 


How  Enterprises  Can  Benefit 
from  Physical  Identity 
and  Access  Management 


A  NEW  IDG  RESEARCH  SURVEY  REVEALS  A  GAP  BETWEEN 
ENTERPRISES'  DESIRE  FOR  THE  INTELLIGENCE  PIAM  OFFERS  AND 
ITS  IMPLEMENTATION. 


In  IT,  silos  are  insidious:  They  propagate  in  places 
one  might  never  expect.  Take  identity  and  access 
management  (1AM).  IT  has  focused  on  the  digital  aspects 
of  authenticating  and  authorizing  employees'  identities 
when  they  access  data.  But  enterprises  also  control 
physical  access  to  data  through  badges,  ID  cards  or  keys. 
Too  often,  the  systems  tracking  physical  access  and 
those  tracking  digital  access— even  though  they  both 
monitor  the  movements  of  employees  and  contractors— 
are  siloed. 

To  eliminate  these  silos,  the  boundaries  of  1AM  are 
evolving.  A  new  IDG  Research  survey  reveals  a  high  level 
of  interest  in  the  capabilities  of  physical  identity  and 
access  management  (PIAM). 

In  today's  security-conscious  enterprise,  PIAM 
reduces  both  digital  and  physical  risks,  it  manages 
policies,  procedures  and  access  rules  for  on-boarding 
and  off-boarding  all  kinds  of  worker  identities— full-  or 
part-time  employees,  contractors,  vendors  or  temporary 
workers.  By  correlating  employees'  specific  roles  or 
identity  attributes  with  data  access,  whether  physical  or 
digital,  enterprises  can  more  consistently  control  access. 
By  centralizing  the  provisioning  process  and  automating 
the  workflows  relating  to  requisitions  and  approvals 
through  a  PIAM  system,  enterprises  can  quickly  and 
efficiently  ensure  security  and  auditing  of  access. 

Because  of  these  capabilities,  64  percent  of  IT 
executives  consider  implementing  PIAM  a  critical  or  high 
priority,  according  to  the  IDG  Research  survey  which 
was  conducted  in  December  2013.  Almost  as  many 
executives— 60  percent— believe  PIAM  has  increased  as 
a  priority  over  last  year. 

PIAM  systems  also  improve  insight  because  they 
accurately  manage  and  track  the  granular  aspects  of 
physical  security  access,  such  as: 

»  Who.  Any  given  enterprise  offers  access  to  a  dizzying 
array  of  roles:  employees,  contractors,  seasonal 
employees,  temporary  employees,  visitors,  vendors. 

»  Where.  PIAM  systems  accurately  assess  who  is 
where  and  why.  Physical  access,  when  correlated  with 


the  risk  profile  of  workers  and  that  of  a  physical  space 
(secure  areas  such  as  data  centers  exhibit  higher  risks  than 
other  locations,  like  cafeterias),  creates  tight  policy  control 
and  accountability. 

»  When.  Enterprises  can  identify  potential  unauthorized 
activities  by  tracking  who  attempts  access  to  specific  areas 
after  hours  or  on  weekends. 

PIAM  eliminates  security  silos  because  it  manages 
the  physical  perimeter  access  and  integrates  that  data 
into  back-end  systems.  Leading-edge  PIAM  software  can 
integrate  policy  information  from  multiple  access-control 
systems  into  a  single  management  view.  PIAM  systems 
also  connect  with  security  systems  in  IT  and  database 
systems  in  human  resources  systems  to  manage  a 
person's  identities  throughout  his  employment  with  the 
enterprise. 

PIAM  solutions  offer  distinct  benefits  in  three  areas: 

»  Corporate  Risk  Reduction:  Enterprises  can 
configure  and  customize  a  PIAM  system  to  comply  with 
their  specific  policies  and  procedures. 

»  Operating  Cost  Reduction:  piam  supports 
automation  of  processes  and  procedures  related  to 
enterprise  access  governance. 

»  Compliance:  Enterprises  in  regulated  industries  can 
define  internal  controls  related  to  physical  access,  audit 
and  access  recertifications. 

A  properly  deployed  and  configured  PIAM  solution 
can  deliver  these  benefits,  while  integrating  physical  and 
digital  access  rights  at  the  same  time.  With  this  integration, 
PIAM  solutions  provide  unprecedented  insights  into  an 
enterprise's  security  posture,  ultimately  providing  a  high 
level  of  reliability  and  confidence  for  IT  and  security  officers. 

For  a  copy  of  the  full  whitepaper  "How  Enterprises  Can 
Benefit  from  Physical  Identity  and  Access  Mangement" 
visit  www.csoonline.com/whitepapers/piam. 
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